HP-UX Reference (11i v2 07/12) - 5 Miscellaneous (vol 9)
p
pam_hpsec(5) pam_hpsec(5)
NAME
pam_hpsec - extended authentication, account, password, and session service module for HP-UX
SYNOPSIS
/usr/lib/security/$ISA/libpam_hpsec.so.1
DESCRIPTION
The hpsec service module implements extensions specific to HP-UX for authentication, account manage-
ment, password management, and session management.
The use of pam_hpsec is mandatory for services like
login, dtlogin, ftp, su, remsh/rexec and
ssh. It is required that these services stack this module on the top of the stack above one or more non-
optional modules such as pam_unix, pam_krb5,or
pam_ldap. Application writers and system
administrators must consider whether it is appropriate to use
pam_hpsec for any given application. This
module is specific to HP-UX, and the functionality may vary significantly between releases.
For an interpretation of the module path, please refer to the related information in pam.conf(4).
Options
The following options may be passed to the
hpsec service module for all the components:
debug syslog(3C) debugging information at LOG_DEBUG.
nowarn Turns off warning messages.
opaque With this option, pam_hpsec returns PAM_SUCCESS upon success.
Without this option, the module returns PAM_IGNORE upon success (which
simplifies the PAM configuration).
Authentication Component
The hpsec authentication component provides management of credentials specific to HP-UX. In the
future, this component may also implement additional HP-UX specific authentication restrictions in addi-
tion to the credential management.
Currently, this component initializes audit attributes for the session. In addition to the options listed in the
Options section, the following options may also be passed to the module for authentication.
bypass_setaud With this option, pam_hpsec
does not initialize audit attributes for the ses-
sion. This option requires that the TrustedMigration product is installed. This
option is supported solely to maintain su(1) backward compatible behavior
when
pam_hpsec is configured with su(1). It is recommended that this
option not be applied to other services.
bypass_all With this option, pam_hpsec ignores the restrictions or features that this
module would otherwise enforce. This option requires that the TrustedMigra-
tion product is installed.
Note that other common UNIX credentials such as uid, gid, and supplemental group membership are not
managed by any PAM module. The application performing the authentication is expected to grant these
credentials (these credentials must be granted after calling pam_open_session(3)) using the setuid(2) and
initgroups(3C) types of calls.
Account Management Component
If the TrustedMigration product is not installed, this component unconditionally succeeds. If the Trusted-
Migration product is installed, this component implements the
AUTH_MAXTRIES and LOGIN_TIMES
restrictions described in security(4). In addition to the options listed in the Options section, the following
options may also be passed to the module for account management.
bypass_maxtries With this option, pam_hpsec ignores the AUTH_MAXTRIES
restriction.
This option requires that the TrustedMigration product is installed.
bypass_login_times With this option, pam_hpsec ignores the LOGIN_TIMES restriction. This
option requires that the TrustedMigration product is installed.
bypass_all With this option, pam_hpsec ignores the restrictions or features that this
module would otherwise enforce. This option requires that the TrustedMigra-
tion product is installed.
HP-UX 11i Version 2: December 2007 Update − 1 − Hewlett-Packard Company 299