LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS
D.5 Sample PAM configuration file for security policy enforcement in an
HP server environment
This section provides the sample PAM configuration file, /etc/pam.conf file configured to support
account and password policy enforcement. In the /etc/pam.conf file, the PAM_AUTHZ library
must be configured for the sshd and rcommds services under the account management role.
The following is a sample PAM configuration file, /etc/pam.conf, used on an HP-UX 11i v2
(or later) system. It is a variant of the /etc/pam.ldap file, adding the PAM_AUTHZ service
module in the appropriate locations. You may configure the PAM configuration file in a similar
way to enforce a security policy. Configure the file after it is generated by either autosetup or
setup
NOTE: The PAM_AUTHZ library should be configured in the pam.conf authentication
management and account management sections only. The PAM_AUTHZ module is an authorization
module only (not authentication). It should be listed before the PAM_LDAP or PAM_KERBEROS
libraries and flagged as required.
#
# PAM configuration
#
# This pam.conf file is intended as an example only.
#
#
################################################################
# This configuration file has only been modified for default #
# services. Other services can be added or modified as needed #
# or desired. If a service is not listed, it will use the #
# OTHER classification. #
# #
# the format for a entry is #
# <service> <module_type> <control> <module path> <options> #
# #
# see pam.conf (4) for more details #
# #
################################################################
#
# Authentication management
#
login auth required libpam_hpsec.so.1
login auth sufficient libpam_unix.so.1
login auth required libpam_ldap.so.1 try_first_pass
su auth required libpam_hpsec.so.1
su auth sufficient libpam_unix.so.1
su auth required libpam_ldap.so.1 try_first_pass
dtlogin auth required libpam_hpsec.so.1
dtlogin auth sufficient libpam_unix.so.1
dtlogin auth required libpam_ldap.so.1 try_first_pass
dtaction auth required libpam_hpsec.so.1
dtaction auth sufficient libpam_unix.so.1
dtaction auth required libpam_ldap.so.1 try_first_pass
ftp auth required libpam_hpsec.so.1
ftp auth sufficient libpam_unix.so.1
ftp auth required libpam_ldap.so.1 try_first_pass
rcomds auth required libpam_hpsec.so.1
rcomds auth sufficient libpam_unix.so.1
rcomds auth required libpam_ldap.so.1 try_first_pass
sshd auth required libpam_hpsec.so.1
sshd auth sufficient libpam_unix.so.1
sshd auth required libpam_ldap.so.1 try_first_pass
OTHER auth required libpam_hpsec.so.1
OTHER auth sufficient libpam_unix.so.1
OTHER auth required libpam_ldap.so.1 try_first_pass
# Account management
#
login account required libpam_hpsec.so.1
login account required libpam_authz.so.1 policy=etc/opt/ldapux/login.policy
login account sufficient libpam_unix.so.1
430 Sample PAM configuration (pam.conf) files