HP-UX Reference (11i v1 05/09) - 4 File Formats (vol 8)
p
pam.conf(4) pam.conf(4)
NAME
pam.conf - configuration file for pluggable authentication modules
SYNOPSIS
/etc/pam.conf
DESCRIPTION
pam.conf is the configuration file for the Pluggable Authentication Module architecture, or PAM. A PAM
module provides functionality for one or more of four possible services: authentication, account manage-
ment, session management, and password management.
An authentication service module provides functionality to authenticate a user and set up user credentials.
A account management module provides functionality to determine if the current user’s account is valid.
This includes checking for password and account expiration, as well as verifying access hour restrictions. A
session management module provides functionality to set up and terminate login sessions. A password
management module provides functionality to change a user’s authentication token or password.
Simplified PAM.CONF configuration file
The
pam.conf file contains a listing of services. Each service is paired with a corresponding service
module. When a service is requested, its associated module is invoked. Each entry has the following for-
mat:
service_name module_type control_flag module_path options
Below is an example of the pam.conf configuration file with support for authentication, account manage-
ment, and session management modules.
login auth required /usr/lib/security/libpam_unix.1 debug
login session required /usr/lib/security/libpam_unix.1
login account required /usr/lib/security/libpam_unix.1
dtlogin session required /usr/lib/security/libpam_unix.1
other auth required /usr/lib/security/libpam_unix.1
other password required /usr/lib/security/libpam_unix.1
service_name The service_name denotes the service (for example, login,ordtlogin). The keyword,
other, indicates the module all other applications which have not been specified should
use. The other keyword can also be used if all services of the same module_type have the
same requirements. In the example above, since all of the services use the same session
module, they could have been replaced by a single
other line.
module_type module_type denotes the service module type: authentication (auth), account management
(account), session management (session), or password management (password).
control_flag The control_flag field determines the behavior of stacking, and will be discussed in more
detail below.
module_path The module_path field specifies the pathname to a shared library object which implements
the service functionality. If the pathname is not absolute, it is assumed to be relative to
/usr/lib/security
.
options The options field is used by the PAM framework layer to pass module specific options to the
modules. It is up to the module to parse and interpret the options. This field can be used
by the modules to turn on debugging or to pass any module specific parameters such as a
TIMEOUT value. It can also be used to support unified login. The options supported by
the modules are documented in their respective manual pages. For example, pam_unix(5)
lists the options accepted by the UNIX module.
Integrating Multiple Authentication Services With Stacking
When a service_name of the same module_type is defined more than once, the service is said to be stacked.
Each module referenced in the module_path for that service is then processed in the order that it occurs in
the configuration file. The control_flag field specifies the continuation and failure semantics of the modules,
and may be
required, optional,orsufficient .
The PAM framework processes each service module in the stack. If all required modules in the stack
succeed, then success is returned (optional and sufficient error values are ignored). If one or more
required modules fail, then the error value from the first required module that failed is returned.
Section 4−−194 Hewlett-Packard Company − 1 − HP-UX 11i Version 1: September 2005