LDAP-UX Client Services B.05.00 with Microsoft Windows Active Directory Server Administrator's Guide (obsolete beyond B.05.00)
Details about pam.conf configuration and sample files are included in “Sample PAM configuration
(pam.conf) files for Windows ADS” (page 149).
6.4.3.2 Authentication with Secure Shell (SSH) and r-commands
For LDAP-UX B.04.00 or earlier versions, a user defined in a directory server who tries to log on
to a UNIX system using SSH key-pairs or the rhost enabled r-command will always be able to log
in even if this user’s account has been locked or password has expired. These applications and
commands do not need to call the PAM (Pluggable Authentication Module) authentication functions,
but perform their own authentication instead. When this occurs, the LDAP bind or Kerberos
authentication operation is never performed. Thus, the directory server or KDC is never given the
opportunity to perform security policy enforcement.
LDAP-UX Client Services B.04.10 and later provides PAM_AUTHZ features to support enforcement
of account and password policies, stored in a directory server, for applications/commands (such
as SSH or r-command) where authentication is not performed via PAM subsystem, but is performed
by the command itself.
6.4.4 Policy file
The system administrator can define a local access policy that can be stored in an access policy
file. The default access policy file is /etc/opt/ldapux/pam_authz.policy, but it can be
stored in an alternate location by setting the policy option in pam.conf. The PAM_AUTHZ
service module uses this local policy file to process the access rules and to control the login
authorization. Any service that loads the libpam_authz.1 library will also load this file. The
access policy file location is set per-service in pam.conf, so access rules can be customized for
each service . For example:
login auth required libpam_authz.so.1 policy=/etc/opt/ldapux/login.policy
ftp auth required libpam_authz.so.1 policy=/etc/opt/ldapux/ftp.policy
For a sample pam.conf file that sets the policy option, see Section C.3 (page 154).
LDAP-UX Client Services provides a sample configuration file,
/etc/opt/ldapux/pam_authz.policy.template. This sample file shows you how to
configure the policy file to work with PAM_AUTHZ. You can copy this sample file and edit it using
the correct syntax to specify the access rules you wish to authorize or exclude from authorization.
For detailed information on how to construct an access rule in the policy file, see Constructing an
access rule in the access policy file (page 102).
NOTE: By default, the allow:unix_local_user access rule in the /etc/opt/ldapux/
pam_authz.policy.template file is enabled.
6.4.5 Policy validator
PAM_AUTHZ works as a policy validator. Once it receives a PAM request, it starts to process the
access rules defined in the access policy file. It validates and determines the user's login
authorization based on the user's login name and the information it retrieves from various name
services. The result is then returned to the PAM framework.
PAM_AUTHZ processes access rules in the order they are defined in the access policy file. It stops
processing the access rules when any one of the access rules is evaluated to be true (match). That
rule is called the "authoritative" rule. If any access rule is evaluated to be false (no match), the rule
is skipped. If any access rule is evaluated to be true (match) but has the action required assigned
to it, then access rule processing continues with the next rule. An access rule that has the action
required assigned to it that evaluates to false (no match) will cause processing to end and the
user is restricted from login. If all access rules in the policy file have been evaluated but the user's
access right cannot be determined, the user is restricted from login.
6.4 PAM_AUTHZ login authorization 101