LDAP-UX Client Services B.04.15 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

101

102

103

104

105

106

107

108

109

110

5.3.10 Security Policy Enforcement with Secure Shell (SSH) or r-commands

PAM_AUTHZ has a limited ability to perform account and password security policy enforcement

without requiring LDAP-based authentication. This section provides information on how to

configure the security policy enforcement access rule, setup access permissions for global policy

attributes and configure PAM configuration file to support enforcement of account and password

policies, stored in an LDAP directory server, for applications such as SSH key-pair and

r-commands with rhost enabled.

This feature is designed to support applications such as SSH (Secure Shell) and the r-commands

(rlogin, rcp, etc..) with .rhost enabled. With these applications, authentication is not performed

via PAM (Pluggable Authentication Module) subsystem, but is performed by the command itself.

In these applications, when authentication is not performed by PAM, the LDAP directory server

is not given the opportunity to provide security policy enforcement, which normally occurs

during the LDAP authentication process.

To configure and use this feature for SSH key-pair or r-commands, you must perform the following

tasks:

• Set security policy enforcement access rule in the /etc/opt/ldapux/pam_authz.policy

file. See the “Security Policy Enforcement Access Rule ” (page 105) section for details.

• Set access permissions for global policy attributes. See the “Setting Access Permissions for

Global Policy Attributes” (page 106) section for details.

• Configure the pam_authz library and the rcommand option in the /etc/pam.conf file for

the sshd and rcomds services under the account management section. See “Configuring

PAM Configuration File” (page 107) section and Appendix D, “Sample /etc/pam.conf File

for Security Policy Enforcement” (page 249) for details.

5.3.10.1 Security Policy Enforcement Access Rule

Specifying status in the <action> field of a pam_authz.policy access rule triggers use of the

account and password security policy enforcement rule. When this rule is evaluated,

PAM_AUTHZ will call the <function_name> in the library specified by the <library_name>

field. PAM_AUTHZ returns the value which is one of the PAM return codes described in the

“PAM Return Codes ” (page 107) section below.

This access rule consists of the following three fields:

Fields in the Access Rule:

The following describes each field of the above access rule:

action

When the status option is specified, PAM_AUTHZ returns whatever

<function_name> in the <library_name> returns, which is one of the PAM

return codes.

library_name This field specifies the name of the library to be loaded that supports the

account and password policies for a particular directory server.

The following describes the valid values for this field:

• rhds: If this option is specified, PAM_AUTHZ loads the

/opt/ldapux/lib/libpolicy_rhds library to process security

policy configuration and examine the user's security policy status

attributes, stored in the Netscape/Red Hat Directory Server.

• ads: If this option specified, PAM_AUHZ loads

/opt/ldapux/lib/libpolicy_ads library to process security

policy configuration and examine the user's security policy status

attributes, stored in the Windows 2003 Active Directory Server.

5.3 PAM_AUTHZ Login Authorization 105