Manualshelf

HP-UX Reference (11i v3 07/02) - 4 File Formats (vol 8)

ManualsBrandsHP ManualsSoftwareHP-UX Reference Manuals
291292293294295296297298299300
p
pam.conf(4) pam.conf(4)
/usr/lib/security/
and /usr/lib/security/pa20_64
Example:
/usr/lib/security/libpam_unix.so.1 -> ./libpam_unix.1
If a user-
defined module is specified in
/etc/pam.conf or /etc/pam_user.conf
, the above
convention must be followed to create symbolic links pointing to PA-RISC modules. To help
reduce the impact of any future
/etc/pam.conf
file format changes, the only supported
way of parsing
/etc/pam.conf
is through the PAM library interfaces. These interfaces
will transparently do any necessary expansion of reserved tokens, such as
$ISA.
options The options field is used by the PAM framework layer to pass module-specific options to the
modules. It is up to the module to parse and interpret the options. This field can be used
by the modules to turn on debugging or to pass any module specific parameters such as a
TIMEOUT value. It can also be used to support unified login. The options supported by the
modules are documented in their respective manual pages. For example, pam_unix(5) lists
the options accepted by the UNIX module.
Integrating Multiple Authentication Services With Stacking
When a service_name of the same module_type is defined more than once, the service is said to be stacked.
Each module referenced in the module_path for that service is then processed in the order that it occurs in
the configuration file. The control_flag field specifies the continuation and failure semantics of the modules,
and may contain one of the following values:
optional If the service module returns success, record the success and continue to process the PAM
stack. If a failure is returned, and it is the first optional module failure, save the failure
code as an optional failure. Continue to process the PAM stack.
required If the service module returns success, record the success and continue to process the PAM
stack. If a failure is returned, and it is the first required failure, save the failure code as a
required failure. Continue to process the PAM stack.
requisite If the service module returns success, record the success and continue to process the PAM
stack. If a failure is returned, immediately return the first non-optional failure value
recorded, without calling any subsequent modules. In other words, record this failure,
unless a previous required service module failed. If a previous required service module
failed, return the first of those values.
sufficient If the service module returns success and no preceding required modules returned failures,
immediately return success without calling any subsequent modules. If a failure is
returned, treat the failure as an optional module failure, and continue to process the PAM
stack.
If no requisite module fails and no sufficient module succeeds, the PAM stack runs to completion.
In this case success is returned, providing no required module failed and at least one required
,
requisite,oroptional module succeeded. If no module succeeded and a required module failed,
the first of those errors is returned.
If all modules return PAM_IGNORE , a default error based on module type is returned.
If any entry in /etc/pam.conf
is incorrect, or if a module does not exist or cannot be opened, then all
PAM services fail and users are not be permitted access to the system. An error will be logged through
syslog(3C) at the
LOG_CRIT level, and the PAM framework returns PAM_OPEN_ERR error to the appli-
cation.
Below is a sample configuration file that stacks the login, and dtlogin services.
login auth required libpam_hpsec.so.1 debug
login auth required libpam_unix.so.1 debug
login auth optional libpam_inhouse.so.1
dtlogin auth required libpam_hpsec.so.1 debug
dtlogin auth sufficient libpam_unix.so.1 debug
dtlogin auth required libpam_inhouse.so.1
In the case of login, the user is authenticated by the hpsec, the UNIX, and inhouse authentication
modules. The required keyword for control_flag requires that the user be allowed to login only if the
user is authenticated by the hpsec and the UNIX service modules. The inhouse authentication is optional
by virtue of the optional keyword in the control_flag field. The user can still log in even if inhouse
authentication fails, as long as hpsec and UNIX both successfully authenticate the user.
HP-UX 11i Version 3: February 2007 2 Hewlett-Packard Company 297