pam_authz.5 (2010 09)

ManualsBrandsHP ManualsSoftwareHP-UX Manpages

pam_authz(5) pam_authz(5)

NAME

pam_authz - PAM module that provides user authorization

SYNOPSIS

/usr/lib/security/$ISA/libpam_authz.so.1

DESCRIPTION

The pam_authz service module for PAM,

/usr/lib/security/$ISA/libpam_authz.so.1

, pro-

vides functionality which allows the administrator to control who can login to the system based on

net-

group information found in the /etc/passwd ﬁle or the access rules that are deﬁned in an

access

policy file.

By default,

pam_authz has been created to provide access control similar to the

netgroup ﬁltering

feature that is performed by NIS.

pam_authz is intended to be used when NIS is not used, such as

when the pam_ldap or pam_kerberos authentication modules are used. Because

pam_authz

does

not provide authentication, it does not verify if a user account exists.

pam_authz also broadens its ability to deﬁne host and service access management policy.

pam_authz

supports a local access policy file, which allows you to deﬁne access rules based on a variety of

information. allow or deny access rules can be deﬁned base on LDAP X.500 style groups, regular

POSIX groups, netgroups, ldap ﬁlters and individual users. To activate this feature, create an access

policy ﬁle.

pam_authz provides an interface for all four PAM components: authentication, account management,

session management and password management. However, only the account management components

need to be conﬁgured. The PAM components for session management and password management are

NULL functions. These components always return [PAM_SUCCESS].

The

libpam_authz.so.1

library is a shared object that can be dynamically loaded to provide the

necessary functionality upon demand. Its path is speciﬁed in the PAM conﬁguration ﬁle.

Access Policy File

The

access policy file referred to throughout this document is a conﬁguration ﬁle created by the

administrator to deﬁne complex policies that control access based on a variety of information. This ﬁle is

named pam_authz.policy

and is located in /etc/opt/ldapux by default. Any service that loads

the

libpam_authz.so.1

library will also load this ﬁle if it exists, unless an access policy file

has been conﬁgured in another location and has been speciﬁed using the

policy option in pam.conf.

Read on for more details on the

access policy file and see the sample

/etc/opt/ldapux/pam_authz.policy.template

ﬁle delivered with this product.

Authentication and Account Managment Modules

The

pam_authz authentication component does not provide authentication. Instead, it provides author-

ization via pam_sm_acct_mgmt()

. pam_authz is intended to be used as a supplementary module

along with other authentication modules, where another module is used to verify user identities, while

pam_authz is used to verify user access rights. pam_authz is intended to be used when the list of

users that are allowed to gain access to a system is a subset of the users that are stored in a large reposi-

tory (such as an LDAP directory server, or other database.)

Because

pam_authz provides authorization only, not authentication, it is highly recommended that

pam_authz is set to required in the conﬁguration ﬁle (see pam.conf (4)). Typically pam_authz is

conﬁgured as the first module under the account management section of the /etc/pam.conf ﬁle.

However, for PAM applications that neglect to call the PAM account management procedure,

pam_authz may also be conﬁgured as an authentication module. When pam_authz is conﬁgured as an

authentication module, at least one other PAM module must be set to required to authenticate a user.

Without an

access policy file, pam_sm_acct_mgmt() use netgroups (see netgroup (4)) and

the /etc/passwd ﬁle to determine user access rights, using a similar syntax as was deﬁned by NIS.

However, pam_authz does not support the password entry ﬁltering syntax as deﬁned by NIS, other than

to determine if a netgroup member should be granted (or denied) access based on if the password ﬁeld

is blocked or not.

pam_authz scans the /etc/passwd ﬁle for the matching NIS style entry and returns grant or deny

access based on the ﬁrst rule that matches the account in question. For example, pam_authz will grant

or deny access when the following entries are deﬁned in the /etc/passwd ﬁle:

HP-UX 11i v3: June 2010 Web Release − 1 − Hewlett-Packard Company 1

Summary of content (8 pages)

PAGE 1
pam_authz(5) pam_authz(5) NAME pam_authz - PAM module that provides user authorization SYNOPSIS /usr/lib/security/$ISA/libpam_authz.so.1 DESCRIPTION The pam_authz service module for PAM, /usr/lib/security/$ISA/libpam_authz.so.1, provides functionality which allows the administrator to control who can login to the system based on netgroup information found in the /etc/passwd file or the access rules that are defined in an access policy file.
PAGE 2
pam_authz(5) pam_authz(5) + Grants access to all the users in the database. +@name Grants access to all members of the network group name. +name Grants access to user name. +@name :any_non_NULL_string Denies access to all members of the network group name. +name :* Denies access to user name. -@name Denies access to all members of the network group name. -name Denies access to user name. Please refer to passwd (4) for a sample /etc/passwd file.
PAGE 3
pam_authz(5) pam_authz(5) status Supports LDAP account and password security policy enforcement when PAM_LDAP authenication service module is bypassed. type The value in the type field represents the source of the information. It signifies the kinds of user information that PAM_AUTHZ should look for. The value also helps to determine the correct syntax in the following object field.
PAGE 4
pam_authz(5) pam_authz(5) Type Object unix_user This field contains a list of usernames. Each value (username) is a character string that is separated by a comma (,) separator, ASCII 2C HEX. Multi-valued field. unix_local_user No parameters are required in the object field. unix_group This field contains a list of unix group names. Each value (group name) is a character string that is separated by a comma (,) separator, ASCII 2C HEX. Multi-valued field.
PAGE 5
pam_authz(5) pam_authz(5) RHOSTIP Returns the IP address of the remote host system from which the user starts the PAM enabled application, such as telnet. RHOSTNAME Returns the name of the remote host system from which the user starts the PAM enabled application, such as telnet. This field defines the in the specified that PAM_AUTHZ uses to evaluate security policy settings with the user.
PAGE 6
pam_authz(5) pam_authz(5) debug syslog() debugging information at LOG_DEBUG level. nowarn Turn off warning messages. pam_close_session is a NULL function. Password Management Module The password management component provides a function to change passwords (pam_sm_chauthtok()). In the case of pam_authz, the module is a NULL function. The following options may be passed in to the pam_authz service module: debug syslog() debugging information at LOG_DEBUG level. nowarn Turn off warning messages.
PAGE 7
pam_authz(5) pam_authz(5) SEE ALSO pam(3), pam_authenticate(3), pam_setcred(3), syslog(3C), netgroup(4), pam.conf(4), pam_user.conf(4), passwd(4), ldapux(5), pam_krb5(5), pam_ldap(5).
PAGE 8
(Notes) A (Notes) pA 8 Hewlett-Packard Company −1− HP-UX 11i v3: June 2010 Web Release