pam_hpsec.5 (2010 09)
p
pam_hpsec(5) pam_hpsec(5)
NAME
pam_hpsec - extended authentication, account, password, and session service module for HP-UX
SYNOPSIS
/usr/lib/security/$ISA/libpam_hpsec.so.1
DESCRIPTION
The hpsec service module implements extensions specific to HP-UX for authentication, account manage-
ment, password management, and session management.
The use of
pam_hpsec is recommended for all services, and is mandatory for some services such as
login, dtlogin, ftp, su
, remsh/rexec and ssh. Application writers and system administrators
may decide that it is inappropriate to use
pam_hpsec for some specific applications. When the
pam_hpsec module is present on the stack, it must be on the top of the stack, above other modules such
as pam_unix, pam_krb5,orpam_ldap. This module is specific to HP-UX, and the functionality may
vary significantly between releases.
For an interpretation of the module path, please refer to the related information in pam.conf (4).
Options
The following options may be passed to the
hpsec service module for all the components:
debug syslog (3C) debugging information at LOG_DEBUG.
nowarn Turns off warning messages.
opaque With this option, pam_hpsec returns PAM_SUCCESS upon success. Without this option, the
module returns PAM_IGNORE upon success (which simplifies the PAM configuration).
Authentication Component
The
hpsec authentication component provides management of credentials specific to HP-UX. In the
future, this component may also implement additional HP-UX specific authentication restrictions in addi-
tion to the credential management.
Currently, this component initializes audit attributes for the session. In addition to the options listed in
the Options section, the following options may also be passed to the module for authentication.
bypass_setaud With this option,
pam_hpsec does not initialize audit attributes for the
session. This option is supported solely to maintain su(1) backward com-
patible behavior when
pam_hpsec is configured with su(1). HP recom-
mends that this option not be applied to other services.
bypass_all With this option, pam_hpsec ignores the restrictions or features that
this module would otherwise enforce.
Note that other common UNIX credentials such as
uid, gid, and supplemental group membership are
not managed by any PAM module. The application performing the authentication is expected to grant
these credentials (these credentials must be granted after calling pam_open_session(3)) using the
setuid (2) and initgroups (3C) types of calls.
Account Management Component
This component implements the
AUTH_MAXTRIES and LOGIN_TIMES restrictions described in secu-
rity (4). In addition to the options listed in the Options section, the following options may also be passed
to the module for account management.
bypass_maxtries With this option, pam_hpsec ignores the AUTH_MAXTRIES
restriction.
bypass_login_times With this option, pam_hpsec ignores the LOGIN_TIMES restriction.
bypass_cmpt_restrict This option is available only if the HP-UX Compartment Login product is
installed, and its compartment login feature is enabled. With the
bypass_cmpt_restrict option, pam_hpsec ignores the
CMPT_LOGIN compartment login access check restrictions.
CMPT_LOGIN is defined in the /etc/cmpt/cmpt.conf compartment
configuration file. Refer to compartment_login(5) for more information
about HP-UX Compartment Login.
bypass_all With this option, pam_hpsec ignores the restrictions or features that
this module would otherwise enforce.
HP-UX 11i Version 3: September 2010 − 1 − Hewlett-Packard Company 1