HP-UX Reference (11i v2 04/09) - 4 File Formats (vol 8)
p
pam.conf(4) pam.conf(4)
help reduce the impact of any future
/etc/pam.conf file format changes, the only sup-
ported way of parsing
/etc/pam.conf
is through the PAM library interfaces. These
interfaces will transparently do any necessary expansion of reserved tokens, such as
$ISA.
options The options field is used by the PAM framework layer to pass module-specific options to
the modules. It is up to the module to parse and interpret the options. This field can be
used by the modules to turn on debugging or to pass any module specific parameters such
as a TIMEOUT value. It can also be used to support unified login. The options sup-
ported by the modules are documented in their respective manual pages. For example,
pam_unix (5) lists the options accepted by the UNIX module.
Integrating Multiple Authentication Services With Stacking
When a service_name of the same module_type is defined more than once, the service is said to be
stacked . Each module referenced in the module_path for that service is then processed in the order that
it occurs in the configuration file. The control_flag field specifies the continuation and failure semantics
of the modules, and may be
required,
optional,orsufficient.
Each PAM module returns a status that indicates whether it approves, disapproves, or has no opinion
about the requested operation. If a module succeeds but has no opinion on a decision, the corresponding
control flags for that module are ignored.
The PAM framework processes each service module in the stack. If all
required modules in the stack
succeed, then success is returned (optional and sufficient error values are ignored). If one or
more required modules fail, then the error value from the first required module that failed is
returned.
If none of the service modules in the stack are designated as
required, then the PAM framework
requires that at least one optional or sufficient module succeed. If all fail then the error value
from the first service module in the stack is returned.
The only exception to the above is caused by the
sufficient flag. If a service module that is desig-
nated as sufficient succeeds, then the PAM framework immediately returns success to the applica-
tion (all subsequent services modules, even required ones, in the stack are ignored), given that all
prior required modules had also succeeded. If a prior required module failed, then the error value
from that module is returned.
If a module does not exist or cannot be opened, an error will be logged through syslog (3C) at the
LOG_CRIT level, and the PAM framework returns PAM_OPEN_ERR error to the application.
Below is a sample configuration file that stacks the
login, and dtlogin
services.
login auth required libpam_hpsec.so.1 debug
login auth required libpam_unix.so.1 debug
login auth optional libpam_inhouse.so.1
dtlogin auth required libpam_hpsec.so.1 debug
dtlogin auth sufficient libpam_unix.so.1 debug
dtlogin auth required libpam_inhouse.so.1
In the case of
login, the user is authenticated by the hpsec , the UNIX and inhouse authentication
modules. The required keyword for control_flag requires that the user be allowed to login only if the
user is authenticated by the hpsec and the UNIX service modules. Inhouse authentication is optional by
virtue of the optional keyword in the control_flag field. The user can still log in even if inhouse
authentication fails.
In the case of
dtlogin, the sufficient keyword for control_flag specifies that if the UNIX authenti-
cation check succeeds, then PAM should return success to dtlogin. The inhouse authentication module
(the next module in the stack) will only be invoked if the UNIX authentication check fails.
Configuration Per User
pam.conf contains information to configure all the users on a system. But sometimes it is necessary to
configure user by user. A user policy definition is made through a specific module named
libpam_updbe.so.1. This module reads a file named /etc/pam_user.conf which describes the
user’s configurations.
Below is a sample configuration file (
/etc/pam.conf) that uses the module libpam_updbe.so.1.
Section 4−−226 Hewlett-Packard Company − 2 − HP-UX 11i Version 2: September 2004