Planning and Configuring HP-UX DCE 1.9
Chapter 7
HP-UX Integrated Login
Activating HP-UX Integrated Login
79
Activating HP-UX Integrated Login
The script /usr/sbin/auth.adm is provided to activate HP-UX Integrated Login and configure a system
authentication policy. Until activated, all Integrated Login utilities retain standard HP-UX behavior.
auth.adm activates Integrated Login by creating an appropriate /etc/pam.conf file.
When using HP-UX Integrated Login with the default DCE registry, users who configure DCE as the primary
login technology should not configure UNIX as a fallback technology. See "Configuring ux as a Fallback
Technology for DCE" later in this chapter for more information.
To activate HP-UX Integrated Login and configure an authentication policy, follow these steps:
1. Log in as root.
2. Issue the auth.adm command, as follows:
/usr/sbin/auth.adm -i[nstall] -l tech_name [-b tech_name]\[-a tech_name[:tech_name]...]\[-p
tech_name:param=value[:param=value]...]...
where
-l tech_name specifies the authentication technology to be used for system login. This specification is
required.
ux—To specify the UNIX mechanism (/etc/passwd)dce-To specify the DCE Security Service
-b
tech_name
specifies the authentication technology to be used for fallback login. This technology is used
when the preferred login technology is unavailable or fails. This specification is optional. If no fallback
technology is explicitly configured, there will be no fallback login in case of unavailability or failure of the
login technology.
-a
tech_name[:tech_name]
specifies the authentication technologies from which to obtain additional
credentials after system login. This specification is optional.
-p
tech_name:param=value[:param=value]
specifies the values of parameters applicable to an
authentication technology being configured. Parameters of different technologies can be specified by
repeating the -p[arameter] option. The list of configurable parameters is as follows:
TIMEOUT — Time-out (in seconds) on communications with authentication technology. Default values are:
u-120 seconds dce—120 seconds
WARNPWDEXP
— Password expiration warning period (in days). If the user's password is due to expire
within the specified number of days, the user receives a warning message during login. This parameter
applies to DCE technology only. If this parameter is not specified, no warning is given.
FORCEPWDCHANGE
— Password force-change period (in days). If the user's password is due to expire within
the specified number of days, the user is forced to change the password before login is allowed. This
parameter applies to the DCE technology only. If this parameter is not specified, a password change is not
forced.
FORWARDABLETGT
— Enable DCE TGT to be forwardable. When forwarding a user's DCE TGT from
machine A to machine B, it enables the user from machine A to reuse its Kerberos credentials on machine
B. A parameter value is required, but its content is ignored. This parameter applies to DCE technology
only.
Default values are used when no parameter values are specified.
The following example commands activate HP-UX Integrated Login and set the configuration as
described: