HP-UX Reference (11i v3 07/02) - 4 File Formats (vol 8)
p
pam.conf(4) pam.conf(4)
NAME
pam.conf - configuration file for pluggable authentication modules
SYNOPSIS
/etc/pam.conf
DESCRIPTION
/etc/pam.conf
is the configuration file for the Pluggable Authentication Module architecture, or PAM.
A PAM module provides functionality for one or more of four possible services: authentication, account
management, session management, and password management.
An authentication service module provides functionality to authenticate a user and set up user credentials.
An account management module provides functionality to determine if the current user’s account is valid.
This includes checking for password and account expiration, as well as verifying access hour restrictions. A
session management module provides functionality to set up and terminate login sessions. A password
management module provides functionality to change a user’s authentication token or password.
Simplified pam.conf configuration file
The
/etc/pam.conf file contains a listing of services. Each service is paired with a corresponding ser-
vice module. When a service is requested, its associated module is invoked. Each entry has the following
format:
service_name module_type control_flag module_path options
Below is an example of the /etc/pam.conf
configuration file with support for authentication, account
management, session management and password management modules. Note that the use of
pam_hpsec
is mandatory for some of the services. For more information, see pam_hpsec(5).
login auth required libpam_hpsec.so.1 debug
login auth required libpam_unix.so.1 debug
login session required libpam_hpsec.so.1
login session required libpam_unix.so.1
login account required libpam_hpsec.so.1
login account required libpam_unix.so.1
dtlogin auth required libpam_hpsec.so.1
dtlogin auth required libpam_unix.so.1
dtlogin session required libpam_hpsec.so.1
dtlogin session required libpam_unix.so.1
other auth required libpam_hpsec.so.1
other auth required libpam_unix.so.1
other account required libpam_hpsec.so.1
other account required libpam_unix.so.1
other session required libpam_hpsec.so.1
other session required libpam_unix.so.1
other password required libpam_hpsec.so.1
other password required libpam_unix.so.1
service_name The service_name denotes the service (for example,
login,ordtlogin). The keyword,
other, indicates the module all other applications which have not been specified should
use. The other keyword can also be used if all services of the same module_type have the
same requirements. In the example above, since all of the services use the same account
management module, they could have been replaced by a single other line.
module_type module_type denotes the service module type: authentication (auth), account management
(account), session management (session), or password management (password).
control_flag The control_flag field determines the behavior of stacking, and will be discussed in more
detail below.
module_path The module_path field specifies the pathname to a shared library object which implements
the service functionality. If the pathname is not absolute, it is assumed to be relative to
/usr/lib/security/$ISA/. The $ISA (i.e Instruction Set Architecture) token is
replaced by the PAM engine (libpam) with
hpux32 for Itanium-based 32-bit modules, with
null for PA-RISC 32-bit modules, with hpux64 for Itanium-based 64-bit modules, or with
pa20_64 for PA-RISC 64-bit modules. To accommodate backward compatibility to PA-
RISC library naming convention, appropriate links are provided in
296 Hewlett-Packard Company − 1 − HP-UX 11i Version 3: February 2007