LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS
TERMINAL Returns the terminal type of the computer from which the user attempts to log
on. For example, /dev/pts/0.
Some applications (such as ssh or remsh) do not pass the terminal dynamic
variable value to PAM_AUTHZ.
TIMEOFTHEDAY Returns the current time of the computer system from which the user attempts
to log on. For example, 20061015125535Z represents October 15, 2006
at 12:55 and 35 seconds GMT. TIMEOFTHEDAY follows the “UTC Time”
syntax as described by RFC4517.
SERVICE Returns the name of the PAM service from which the user attempts to access.
For example, common PAM service names include ftp, login, telnet.
RHOSTIP Returns the IP address of the remote host system from which the user starts the
PAM enabled application, such as telnet.
RHOSTNAME Returns the name of the remote host system from which the user starts the PAM
enabled application, such as telnet.
RHOSTNAMEWD Returns the name of the fully qualified remote host system from which the user
starts the PAM enabled application, such as telnet.
7.4.9.2 Example of a dynamic variable access rule
The following shows a sample access rule in the access policy file:
allow:ldap_filter:(WorkstationIP=$[HOSTIP])
This policy rule performs a security policy validation for users stored in the directory server. If user
Mary has a WorkstationIP attribute with the value of 1.2.3.200 in her user entry in the LDAP
directory, then when she attempts to log in to the host with the IP address 1.2.3.200, the access
rule is evaluated to be true and she is granted login access.
7.4.10 Security policy enforcement with secure shell (ssh) or r-commands
PAM_AUTHZ has a limited ability to perform account and password security policy enforcement
without requiring LDAP-based authentication. This section provides information on how to configure
the security policy enforcement access rule, set up access permissions for global policy attributes
and configure PAM configuration file to support enforcement of account and password policies,
stored in an LDAP directory server, for applications such as ssh key pair and r-commands with
rhost enabled.
This feature is designed to support applications such as secure shell (ssh) and the r-commands (such
as rlogin and rcp) with rhost enabled. With these applications, authentication is performed
by the command itself rather than by the PAM subsystem; when authentication is not performed
by PAM, the directory server is not given the opportunity to provide security policy enforcement
as normally occurs during the LDAP authentication process.
To configure and use this feature for ssh key pair or r-commands, perform the following tasks:
• Set security policy enforcement access rule in the access policy file. For information about
setting this access rule, see Section 7.4.10.1 (page 210).
• Set access permissions for global policy attributes. For information about setting access
permissions for global policy attributes, see Section 7.4.10.2 (page 212).
• Configure the PAM_AUTHZ library and the rcommand option in the /etc/pam.conf file
for the sshd and rcomds services under the account management section. For more
information, see Section 7.4.10.3 (page 213) and Section D.5 (page 430).
7.4.10.1 Security policy enforcement access rule
Specifying status in the <action> field of a pam_authz.policy access rule triggers use of
the account and password security policy enforcement rule. When this rule is evaluated,
210 Administering LDAP-UX Client Services