LDAP-UX Client Services B.05.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

151

152

153

154

155

156

157

158

159

160

5.3.10 Security policy enforcement with secure shell (ssh) or r-commands

PAM_AUTHZ has a limited ability to perform account and password security policy enforcement

without requiring LDAP-based authentication. This section provides information on how to

configure the security policy enforcement access rule, set up access permissions for global policy

attributes and configure PAM configuration file to support enforcement of account and password

policies, stored in an LDAP directory server, for applications such as ssh key-pair and r-commands

with rhost enabled.

This feature is designed to support applications such as secure shell (ssh) and the r-commands

(rlogin, rcp, etc..) with .rhost enabled. With these applications, authentication is not performed

by the PAM (Pluggable Authentication Module) subsystem, but is performed by the command

itself. In these applications, when authentication is not performed by PAM, the LDAP directory

server is not given the opportunity to provide security policy enforcement, which normally

occurs during the LDAP authentication process.

To configure and use this feature for ssh key-pair or r-commands, you must perform the following

tasks:

• Set security policy enforcement access rule in the access policy file. See Section 5.3.10.1

(page 153) for details.

• Set access permissions for global policy attributes. See Section 5.3.10.2 (page 154) for details.

• Configure the PAM_AUTHZ library and the rcommand option in the /etc/pam.conf file

for the sshd and rcomds services under the account management section. See Section 5.3.10.3

(page 155) and “Sample /etc/pam.conf file for security policy enforcement” (page 357) for

details.

5.3.10.1 Security policy enforcement access rule

Specifying status in the <action> field of a pam_authz.policy access rule triggers use of

the account and password security policy enforcement rule. When this rule is evaluated,

PAM_AUTHZ will call the <function_name> in the library specified by the <library_name>

field. PAM_AUTHZ returns the value which is one of the PAM return codes described in

Section 5.3.10.5 (page 155) below.

This access rule consists of the following three fields:

Fields in the access rule:

The following describes each field of the above access rule:

action

When the status option is specified, PAM_AUTHZ returns whatever

<function_name> in the <library_name> returns, which is one of the PAM

return codes.

library_name This field specifies the name of the library to be loaded that supports the

account and password policies for a particular directory server.

The following describes the valid values for this field:

• rhds: If this option is specified, PAM_AUTHZ loads the /opt/

ldapux/lib/libpolicy_rhds library to process security policy

configuration and examine the user's security policy status attributes,

stored in the HP-UX Directory Server or Redhat Directory Server.

• ads: If this option specified, PAM_AUHZ loads /opt/ldapux/lib/

libpolicy_ads library to process security policy configuration and

examine the user's security policy status attributes, stored in the

Windows Server 2003 R2/2008 Active Directory Server.

5.3 PAM_AUTHZ login authorization 153