pam_unix.5 (2010 09)

ManualsBrandsHP ManualsSoftwareHP-UX Manpages

pam_unix(5) pam_unix(5)

NAME

pam_unix - authentication, account, session, and password management PAM modules for UNIX

SYNOPSIS

/usr/lib/security/$ISA/libpam_unix.so.1

DESCRIPTION

The UNIX service module for PAM,

/usr/lib/security/$ISA/libpam_unix.so.1

,provides

functionality for all four PAM modules: authentication, account management, session management and

password management.

The

libpam_unix.so.1

module is a shared object that can be dynamically loaded to provide the

necessary functionality upon demand.

For an interpretation of the module path, please refer to the related information in pam.conf (4).

Unix Authentication Module

The UNIX authentication component provides functions to verify the identity of a user,

(

pam_sm_authenticate()

) and to set user speciﬁc credentials (

pam_sm_setcred()

pam_sm_authenticate()

compares the user entered password (or password retrieved from the user’s

smart card) with the password from UNIX password database, including the protected password database

for trusted systems. If the passwords match, the user is authenticated. If the user also has secure RPC

credentials and the secure RPC password is the same as the UNIX password, then the secure RPC

credentials are also obtained.

The following options may be passed to the UNIX service module:

debug syslog (3C) debugging information at LOG_DEBUG level.

nowarn Turn off warning messages.

use_first_pass

It compares the password in the password database with the user’s initial password

(entered when the user authenticated to the ﬁrst authentication module in the stack).

If the passwords do not match, or if no password has been entered, quit and do not

prompt the user for a password. This option should only be used if the authentication

service is designated as optional in the pam.conf conﬁguration ﬁle.

try_first_pass

It compares the password in the password database with the user’s initial password

(entered when the user authenticated to the ﬁrst authentication module in the stack).

If the passwords do not match, or if no password has been entered, prompt the user

for a password.

use_psd psd stands for personal security device, for the current implementation there is only

one security device: the smart card. It compares the password in the password data-

base with the password stored on the user’s smart card. With this option the PAM

Framework prompt "Enter PIN:" is used instead of the password prompt. This option

is only supported with the authentication or password module types (auth, password)

services in the pam.conf or in the pam_user.conf conﬁguration ﬁles.

When prompting for the current password, the UNIX authentication module will use the prompt, "Pass-

word:" unless one of the following scenarios occur:

1. The option

try_first_pass is speciﬁed and the password entered for the ﬁrst module in

the stack fails for the UNIX module.

2. The option

try_first_pass is not speciﬁed, and the earlier authentication modules listed

in the pam.conf ﬁle have prompted the user for the password.

3. The option

use_psd is speciﬁed. In this case, the UNIX authentication module will use the

prompt "Enter PIN:".

In cases 1 and 2, the UNIX authentication module will use the prompt "System Password:".

The

pam_sm_setcred() function sets user speciﬁc credentials. If the user had secure RPC creden-

tials, but the secure RPC password was not the same as the UNIX password, then a warning message is

printed. If the user wants to get secure RPC credentials, then keylogin (1) needs to be run.

HP-UX 11i Version 3: September 2010 − 1 − Hewlett-Packard Company 1

Summary of content (4 pages)

PAGE 1
pam_unix(5) pam_unix(5) NAME pam_unix - authentication, account, session, and password management PAM modules for UNIX SYNOPSIS /usr/lib/security/$ISA/libpam_unix.so.1 DESCRIPTION The UNIX service module for PAM, /usr/lib/security/$ISA/libpam_unix.so.1, provides functionality for all four PAM modules: authentication, account management, session management and password management. The libpam_unix.so.
PAGE 2
pam_unix(5) pam_unix(5) Unix Account Management Module The UNIX account management component provides a function to perform account management (pam_sm_acct_mgmt()). The function retrieves the user’s password entry from the UNIX password database and verifies that the user’s account and password have not expired. For trusted systems, this module also validates the allowed access time and access terminal based upon the security configuration.
PAGE 3
pam_unix(5) pam_unix(5) WARNINGS HP-UX 11i Version 3 is the last release to support trusted systems functionality. SEE ALSO keylogin(1), pam(3), pam_authenticate(3), pam_setcred(3), syslog(3C), nsswitch.conf(4), pam.conf(4), pam_user.conf(4).
PAGE 4
(Notes) A (Notes) pA 4 Hewlett-Packard Company −1− HP-UX 11i Version 3: September 2010