HP-UX Reference (11i v2 04/09) - 4 File Formats (vol 8)
p
pam.conf(4) pam.conf(4)
NAME
pam.conf - configuration file for pluggable authentication modules
SYNOPSIS
/etc/pam.conf
DESCRIPTION
pam.conf is the configuration file for the Pluggable Authentication Module architecture, or PAM. A
PAM module provides functionality for one or more of four possible services: authentication, account
management , session management , and password management .
An authentication service module provides functionality to authenticate a user and set up user creden-
tials. An account management module provides functionality to determine if the current user’s account is
valid. This includes checking for password and account expiration, as well as verifying access hour res-
trictions. A session management module provides functionality to set up and terminate login sessions. A
password management module provides functionality to change a user’s authentication token or pass-
word.
Simplified pam.conf configuration file
The
pam.conf file contains a listing of services. Each service is paired with a corresponding service
module. When a service is requested, its associated module is invoked. Each entry has the following for-
mat:
service_name module_type control_flag module_path options
Below is an example of the
pam.conf configuration file with support for authentication, account
management, session management and password management modules. Note that the use of
pam_hpsec is mandatory for some of the services. For more information, see pam_hpsec (5).
login auth required libpam_hpsec.so.1 debug
login auth required libpam_unix.so.1 debug
login session required libpam_hpsec.so.1
login session required libpam_unix.so.1
login account required libpam_unix.so.1
dtlogin auth required libpam_hpsec.so.1
dtlogin auth required libpam_unix.so.1
dtlogin session required libpam_hpsec.so.1
dtlogin session required libpam_unix.so.1
other auth required libpam_unix.so.1
other account required libpam_unix.so.1
other session required libpam_unix.so.1
other password required libpam_unix.so.1
service_name The service_name denotes the service (for example,
login,ordtlogin). The keyword,
other, indicates the module all other applications which have not been specified should
use. The other keyword can also be used if all services of the same module_type have
the same requirements. In the example above, since all of the services use the same
account management module, they could have been replaced by a single other line.
module_type module_type denotes the service module type: authentication (auth), account manage-
ment (account ), session management (session), or password management (password ).
control_flag The control_flag field determines the behavior of stacking, and will be discussed in more
detail below.
module_path The module_path field specifies the pathname to a shared library object which imple-
ments the service functionality. If the pathname is not absolute, it is assumed to be rela-
tive to
/usr/lib/security/$ISA/. The $ISA (i.e Instruction Set Architecture)
token is replaced by the PAM engine (libpam) with hpux32 for Itanium-based 32-bit
modules, with null for PA-RISC 32-bit modules, with hpux64 for Itanium-based 64-bit
modules, or with pa20_64 for PA-RISC 64-bit modules. To accommodate backward com-
patibility to PA-RISC library naming convention, appropriate links are provided in
/usr/lib/security/ and /usr/lib/security/pa20_64 Example:
/usr/lib/security/libpam_unix.so.1 -> ./libpam_unix.1 If a user-
defined module is specified in /etc/pam.conf or /etc/pam_user.conf, the above
convention must be followed to create symbolic links pointing to PA-RISC modules. To
HP-UX 11i Version 2: September 2004 − 1 − Hewlett-Packard Company Section 4−−225