HP-UX Reference (11i v1 05/09) - 5 Miscellaneous Topics (vol 9)
p
pam_unix(5) pam_unix(5)
Unix Account Management Module
The UNIX account management component provides a function to perform account management
(pam_sm_acct_mgmt()
). The function retrieves the user’s password entry from the UNIX password
database and verifies that the user’s account and password have not expired. For trusted systems, this
module also validates the allowed access time and access terminal based upon the security configuration.
The following options may be passed in to the UNIX service module:
debug syslog(3C) debugging information at LOG_DEBUG level.
nowarn Turn off warning messages.
Unix Session Management Module
The UNIX session management component provides functions to initiate (
pam_sm_open_session()
)
and terminate (
pam_sm_close_session()
) UNIX sessions. For UNIX, pam_open_session()
updates the last successful or unsuccessful login time in the protected password database for trusted mode.
The account management module reads the information to display the previous time the user logged in.
The following options may be passed in to the UNIX service module:
debug syslog(3C) debugging information at LOG_DEBUG level.
nowarn Turn off warning messages.
pam_close_session
is a NULL function.
Unix Password Management Module
The UNIX password management component provides a function to change passwords
(
pam_sm_chauthtok()
) in the UNIX password database. This module must be required in
pam.conf. It can not be optional or sufficient . The following options may be passed in to the
UNIX service module:
debug syslog(3C) debugging information at LOG_DEBUG level.
nowarn Turn off warning messages.
use_first_pass
It compares the password in the password database with the user’s old password
(entered to the first password module in the stack). If the passwords do not match, or if
no password has been entered, quit and do not prompt the user for the old password. It
also attempts to use the new password (entered to the first password module in the
stack) as the new password for this module. If the new password fails, quit and do not
prompt the user for a new password.
try_first_pass
It compares the password in the password database with the user’s old password
(entered to the first password module in the stack). If the passwords do not match, or if
no password has been entered, prompt the user for the old password. It also attempts
to use the new password (entered to the first password module in the stack) as the new
password for this module. If the new password fails, prompt the user for a new pass-
word.
use_psd It prompts the user for the PIN (with the PIN, the PAM Framework can retrieve a pass-
word from the smart card) and the old password is retrieved from the smart card. It
compares the password in the password database with the user’s old password. If the
passwords match, it prompts the user for a new password.
If the user’s password has expired, the UNIX account module saves this information in the authentication
handle using pam_set_data(). The UNIX password module retrieves this information from the
authentication handle using pam_get_data() to determine whether or not to force the user to update
their password.
SEE ALSO
keylogin(1), pam(3), pam_authenticate(3), pam_setcred(3), syslog(3C), pam.conf(4), pam_user.conf(4).
HP-UX 11i Version 1: September 2005 − 2 − Hewlett-Packard Company Section 5−−103