HP-UX PAM RADIUS A.01.00 Release Notes HP-UX 11i v2, HP-UX 11i v3 HP Part Number: 5992-3382 Published: March 2008 Edition: 1.
© Copyright 2008 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice.
HP-UX PAM RADIUS A.01.00 Release Notes This document provides the most recent product information on HP-UX PAM RADIUS A.01.00 software that is supported on a system running an HP-UX 11i v2 (B.11.23) or HP-UX 11i v3 (B.11.31) operating system. This document addresses the following topics: • “HP-UX PAM RADIUS Software Overview.” • “HP-UX PAM RADIUS A.01.00 Features and Benefits.” • “PAM Modules Supported by HP-UX PAM RADIUS A.01.
Authentication Module The HP-UX PAM RADIUS authentication module provides the following functions: • The pam_sm_authenticate() function, which verifies the identity of a user against the RADIUS server • The pam_sm_setcred() function, which sets user credentials The following options to the HP-UX PAM RADIUS authentication module can be set in the /etc/pam.conf file. This option enables syslog(3C) to log debugging debug information at LOG_DEBUG level.
If an Access-Challenge message is returned, HP-UX PAM RADIUS displays the Access-Challenge message, and prompts the user for a response and returns success or failure as appropriate. The password sent to the next authentication module is not the response to the challenge. If a password from a previous authentication module exists, it is passed to the next authentication module. Otherwise, no password is sent to the next module.
by the previous module. Following are the valid values for : The previous module had set Password password as the authentication token. This is the default value, if this option is not set, or if an invalid value is set. The previous module had set Otp OTP as the authentication token. The previous module had set PasswordOtp password appended with OTP as the authentication token.
Password Otp PasswordOtp set_authtok= Perform only password validation. This is the default value, if this option is not set, or if an invalid value is set. Perform only OTP validation. When this option is set, the module prompts the user for OTP information (if required). Once the module receives the OTP, it sends it as a password to the RADIUS server for validation. Set this option when using RADIUS servers that support OTP based authentication (such as the HP-UX AAA Server A.07.
If the authentication token that must be set as PAM_AUTHTOK in the PAM handle is not available, then the module ignores this option. Account Management Module The HP-UX PAM RADIUS account management module provides functions to manage user accounts. NOTE: Account management (tasks such as user's password and account verification by checking the password and account expiration, and log-in time validation) is not defined under RADIUS protocol standard. Therefore, this module returns PAM_SUCCESS.
HP-UX PAM RADIUS Resources For more information about the HP-UX PAM RADIUS A.01.00 software, see the following documents: • The pam_radius(5) manpage that is bundled with the HP-UX PAM RADIUS software • The FreeRADIUS website at: http://www.freeradius.org/ • The PAM RFC - 86.0 available at the following web address: http://www.opengroup.org/tech/rfc/rfc86.0.html NOTE: Documentation for the HP-UX AAA Server A.07.01 is available at: http://www.docs.hp.com/en/internet.
Patch Requirements You need not install any patches before installing the HP-UX PAM RADIUS A.01.00 software. Installation Procedure To install the HP-UX PAM RADIUS A.01.00 software, complete the following steps: 1. Log in as superuser. 2. Download the HP-UX PAM RADIUS depot file from the following web address: http://software.hp.com . 3. 4. Move the depot to the /tmp directory. Verify that the depot is downloaded correctly by entering the swlist command.
