HP-UX Reference (11i v2 04/09) - 5 Miscellaneous Topics (vol 9)

ManualsBrandsHP ManualsSoftwareHP-UX Reference Manuals

271

272

273

274

275

276

277

278

279

280

pam_hpsec(5) pam_hpsec(5)

NAME

pam_hpsec - extended authentication, account, password, and session service module for HP-UX

SYNOPSIS

/usr/lib/security/$ISA/libpam_hpsec.so.1

DESCRIPTION

The pam_hpsec service module implements extensions speciﬁc to HP-UX for authentication, account

management, password management, and session management.

The use of

pam_hpsec is mandatory for services like

It is required that these services stack this module on the top of the stack above one or more non-optional

modules such as

pam_unix, pam_krb5,or

pam_ldap. Application writers and system administrators

must consider whether it is appropriate to use

pam_hpsec for any given application. This module is

speciﬁc to HP-UX, and the functionality may vary signiﬁcantly between releases.

For an interpretation of the module path, please refer to the related information in pam.conf (4).

Options

The following options may be passed to the module for all the components:

debug syslog (3C) debugging information at LOG_DEBUG.

nowarn Turns off warning messages.

opaque With this option, pam_hpsec returns PAM_SUCCESS upon success. Without this

option, the module returns PAM_IGNORE upon success (which simpliﬁes the PAM

conﬁguration).

Authentication Component

The

hpsec authentication component provides management of credentials speciﬁc to HP-UX. In the

future, this component may also implement additional HP-UX speciﬁc authentication restrictions in addi-

tion to the credential management.

Currently, this component initializes audit attributes for the session.

Note that other common UNIX credentials such as

uid, gid, and supplemental group membership

are not managed by any PAM module. The application performing the authentication is expected to

grant these credentials (these credentials must be granted after calling pam_open_session(3)) using

the setuid (2) and initgroups (3C) types of calls.

Account Management Component

This component unconditionally succeeds.

Password Management Component

This component unconditionally succeeds.

Session Management Component

This component implements many miscellaneous restrictions such as

NOLOGIN,

NUMBER_OF_LOGINS_ALLOWED, and UMASK documented in security (4). In addition to the options

listed in the option section, the following options may also be passed to the module for session manage-

ment.

bypass_nologin With this option, pam_hpsec ignores NOLOGIN setting in the

/etc/default/security ﬁle.

bypass_limit_login With this option, pam_hpsec ignores the

NUMBER_OF_LOGINS_ALLOWED setting in the

/etc/default/security ﬁle.

bypass_umask With this option, pam_hpsec ignores the UMASK setting in the

/etc/default/security ﬁle.

bypass_all With this option, pam_hpsec enforces none of the optional security restric-

tions that this module would otherwise enforce.

HP-UX 11i Version 2: September 2004 − 1 − Hewlett-Packard Company Section 5−−255