LDAP-UX Client Services B.04.10 Administrator's Guide (edition 7)
login account sufficient /usr/lib/security/libpam_unix.1
login account required /usr/lib/security/libpam_ldap.1 rcommand
su account sufficient /usr/lib/security/libpam_unix.1
su account required /usr/lib/security/libpam_ldap.1
dtlogin account sufficient /usr/lib/security/libpam_unix.1
dtlogin account required /usr/lib/security/libpam_ldap.1
dtaction account sufficient /usr/lib/security/libpam_unix.1
dtaction account required /usr/lib/security/libpam_ldap.1
ftp account sufficient /usr/lib/security/libpam_unix.1
ftp account required /usr/lib/security/libpam_ldap.1
OTHER account sufficient /usr/lib/security/libpam_unix.1
OTHER account required /usr/lib/security/libpam_ldap.1 rcommand
On the HP-UX 11i v2 client system, you will modify account management session in
/etc/pam.conf file for pam_ldap to add "rcommand" option as follows:
# Account management
#
login account required libpam_hpsec.so.1
login account sufficient libpam_unix.so.1
login account required libpam_ldap.so.1 rcommand
su account required libpam_hpsec.so.1
su account sufficient libpam_unix.so.1
su account required libpam_ldap.so.1
dtlogin account required libpam_hpsec.so.1
dtlogin account sufficient libpam_unix.so.1
dtlogin account required libpam_ldap.so.1
dtaction account required libpam_hpsec.so.1
dtaction account sufficient libpam_unix.so.1
dtaction account required libpam_ldap.so.1
ftp account required libpam_hpsec.so.1
ftp account sufficient libpam_unix.so.1
ftp account required libpam_ldap.so.1
rcomds account required libpam_hpsec.so.1
rcomds account sufficient libpam_unix.so.1
rcomds account required libpam_ldap.so.1 rcommand
sshd account required libpam_hpsec.so.1
sshd account sufficient libpam_unix.so.1
sshd account required libpam_ldap.so.1
OTHER account sufficient libpam_unix.so.1
OTHER account required libpam_ldap.so.1
CAUTION: Setting user password to be returned as any string for the hidden password,
and turning on the "rcommand" option for pam_ldap account management could allow
users with active accounts on a remote host to rlogin to the local host on to a disabled account.
If you have security concerns, see “Security Policy Enforcement with Secure Shell (SSH) or
r-commands” (page 110) section in chapter 5 and Appendix D, “Sample /etc/pam.conf File
for Security Policy Enforcement” (page 193) for detailed information on how to configure
access rules in the /etc/opt/ldapux/pam_authz.policy file, set global policy access
permissions and configure the pam_authz library and the rcommand option under the
account management section in the /etc/pam.conf file.
70 Installing And Configuring LDAP-UX Client Services