HP-UX Reference (11i v2 03/08) - 4 File Formats (vol 8)

ManualsBrandsHP ManualsSoftwareHP-UX Reference Manuals

231

232

233

234

235

236

237

238

239

240

pam.conf(4) pam.conf(4)

Integrating Multiple Authentication Services With Stacking

When a service_name of the same module_type is deﬁned more than once, the service is said to be

stacked . Each module referenced in the module_path for that service is then processed in the order that

it occurs in the conﬁguration ﬁle. The control_ﬂag ﬁeld speciﬁes the continuation and failure semantics

of the modules, and may be

required,

optional,orsufficient.

The PAM framework processes each service module in the stack. If all

required modules in the stack

succeed, then success is returned (

optional and

sufficient error values are ignored). If one or

required modules fail, then the error value from the ﬁrst

required module that failed is

returned.

If none of the service modules in the stack are designated as

required, then the PAM framework

requires that at least one

optional or

sufficient module succeed. If all fail then the error value

from the ﬁrst service module in the stack is returned.

The only exception to the above is caused by the

sufficient ﬂag. If a service module that is desig-

nated as

sufficient succeeds, then the PAM framework immediately returns success to the applica-

tion (all subsequent services modules, even required ones, in the stack are ignored), given that all

prior required modules had also succeeded. If a prior

required module failed, then the error value

from that module is returned.

If a module does not exist or can not be opened, then the

pam.conf entry is ignored and an error will be

logged through syslog (3C) at the LOG_CRIT level.

Below is a sample conﬁguration ﬁle that stacks the

dtlogin auth sufficient /usr/lib/security/$ISA/libpam_unix.so.1 debug

dtlogin auth required /usr/lib/security/$ISA/libpam_inhouse.so.1

In the case of

required keyword for control_ﬂag requires that the user be allowed to login only if the user is authenti-

cated by the UNIX service module. Inhouse authentication is optional by virtue of the

optional key-

word in the control_ﬂag ﬁeld. The user can still log in even if inhouse authentication fails.

In the case of

dtlogin, the sufficient keyword for control_ﬂag speciﬁes that if the UNIX authenti-

cation check succeeds, then PAM should return success to dtlogin. The inhouse authentication module

(the next module in the stack) will only be invoked if the UNIX authentication check fails.

Some modules may return

PAM_IGNORE in certain situations. In these cases the PAM framework

ignores the entire entry in pam.conf regardless of whether or not it is required, optional

or suf-

ficient

Conﬁguration Per User

pam.conf contains information to conﬁgure all the users on a system. But sometimes it is necessary to

conﬁgure user by user. A user policy deﬁnition is made through a speciﬁc module named

libpam_updbe.so.1. This module reads a ﬁle named /etc/pam_user.conf

which describes the

user’s conﬁgurations.

Below is a sample conﬁguration ﬁle (

/etc/pam.conf) that uses the module libpam_updbe.so.1

su auth required /usr/lib/security/$ISA/libpam_updbe.so.1

su auth required /usr/lib/security/$ISA/libpam_unix.so.1

OTHER auth required /usr/lib/security/$ISA/libpam_unix.so.1

passwd password required /usr/lib/security/$ISA/libpam_updbe.so.1

passwd password required /usr/lib/security/$ISA/libpam_unix.so.1

OTHER password required /usr/lib/security/$ISA/libpam_unix.so.1

The module

libpam_updbe.so.1 searches the conﬁguration ﬁle /etc/pam_user.conf and reads

the conﬁguration associated with the login name of the current user. If there is no conﬁguration concern-

ing the current user in the pam_user.conf ﬁle, the PAM framework ignores the line containing

libpam_updbe.so.1. The pam.conf applies for those users who are not conﬁgured in

pam_user.conf.

Section 4−−224 Hewlett-Packard Company − 2 − HP-UX 11i Version 2: August 2003