HP-UX Reference (11i v1 05/09) - 4 File Formats (vol 8)
p
pam.conf(4) pam.conf(4)
If none of the service modules in the stack are designated as
required, then the PAM framework
requires that at least one
optional or sufficient
module succeed. If all fail then the error value
from the first service module in the stack is returned.
The only exception to the above is caused by the
sufficient flag. If a service module that is designated
as
sufficient succeeds, then the PAM framework immediately returns success to the application (all
subsequent services modules, even required ones, in the stack are ignored), given that all prior
required modules had also succeeded. If a prior
required module failed, then the error value from
that module is returned.
If a module does not exist or can not be opened, then the
pam.conf entry is ignored and an error will be
logged through syslog(3C) at the LOG_CRIT level.
Below is a sample configuration file that stacks the
login, and dtlogin services.
login auth required /usr/lib/security/libpam_unix.1. debug
login auth optional /usr/lib/security/libpam_inhouse.1
dtlogin auth sufficient /usr/lib/security/libpam_unix.1 debug
dtlogin auth required /usr/lib/security/libpam_inhouse.1
In the case of
login, the user is authenticated by the UNIX and inhouse authentication modules. The
required keyword for control_flag requires that the user be allowed to login only if the user is authenti-
cated by the UNIX service module. Inhouse authentication is optional by virtue of the
optional key-
word in the control_flag field. The user can still log in even if inhouse authentication fails.
In the case of
dtlogin, the sufficient keyword for control_flag specifies that if the UNIX authentica-
tion check succeeds, then PAM should return success to dtlogin. The inhouse authentication module
(the next module in the stack) will only be invoked if the UNIX authentication check fails.
Some modules may return PAM_IGNORE in certain situations. In these cases the PAM framework ignores
the entire entry in pam.conf regardless of whether or not it is required, optional or
suffi-
cient
.
Configuration Per User
pam.conf contains information to configure all the users on a system. But sometimes it is necessary to
configure user by user. A user policy definition is made through a specific module named
libpam_updbe.1. This module reads a file named
/etc/pam_user.conf which describes the
user’s configurations.
Below is a sample configuration file (
/etc/pam.conf
) that uses the module libpam_updbe.1.
login auth required /usr/lib/security/libpam_updbe.1
login auth required /usr/lib/security/libpam_unix.1
su auth required /usr/lib/security/libpam_updbe.1
su auth required /usr/lib/security/libpam_unix.1
OTHER auth required /usr/lib/security/libpam_unix.1
login password required /usr/lib/security/libpam_updbe.1
login password required /usr/lib/security/libpam_unix.1
passwd password required /usr/lib/security/libpam_updbe.1
passwd password required /usr/lib/security/libpam_unix.1
OTHER password required /usr/lib/security/libpam_unix.1
The module
libpam_updbe.1 searches the configuration file /etc/pam_user.conf
and reads the
configuration associated with the login name of the current user. If there is no configuration concerning the
current user in the
pam_user.conf file, the PAM framework ignores the line containing
libpam_updbe.1. The pam.conf applies for those users who are not configured in pam_user.conf
.
NOTES
If an error is found in an entry due to invalid service_name, module_type,orcontrol_flag, then the entry is
ignored. If there are no valid entries for the given module_type, the PAM framework returns an error to
the application.
EXAMPLES
The following is a sample
pam.conf configuration file. Lines that begin with the # symbol are treated as
comments, and therefore ignored.
HP-UX 11i Version 1: September 2005 − 2 − Hewlett-Packard Company Section 4−−195