HP-UX Reference (11i v3 07/02) - 5 Miscellaneous Topics (vol 9)
p
pam_authz(5) pam_authz(5)
NAME
pam_authz - PAM module that provides user authorization
SYNOPSIS
/usr/lib/security/$ISA/libpam_authz.so.1
DESCRIPTION
The pam_authz service module for PAM,
/usr/lib/security/$ISA/libpam_authz.so.1
,
provides functionality which allows the administrator to control who can login to the system based on
net-
group
information found in the /etc/passwd file or the access rules that are defined in the access pol-
icy file /etc/opt/ldapux/pam_authz.policy
.
By default,
pam_authz has been created to provide access control similar to the
netgroup filtering
feature that is performed by NIS.
pam_authz is intended to be used when NIS is not used, such as when
the
pam_ldap or pam_kerberos authentication modules are used. Because
pam_authz does not
provide authentication, it does not verify if a user account exists.
pam_authz also broadens its ability to define host and service access management policy.
pam_authz
supports a local access policy file, which allows you to define access rules based on a variety of information.
allow or deny access rules can be defined base on LDAP X.500 style groups, regular POSIX groups,
net-
groups
, ldap filters and individual users. To activate this feature, create a pam_authz.policy
file
under
/etc/opt/ldapux
.
pam_authz provides an interface for all four PAM components: authentication, account management, ses-
sion management and password management. However, only the account management components need
to be configured. The PAM components for session management and password management are NULL
functions. These components always return [PAM_SUCCESS].
The libpam_authz.so.1
library is a shared object that can be dynamically loaded to provide the
necessary functionality upon demand. Its path is specified in the PAM configuration file.
Authentication and Account Managment Modules
The
pam_authz authentication component does not provide authentication. Instead, it provides authori-
zation via pam_sm_acct_mgmt()
. pam_authz is intended to be used as a supplementary module
along with other authentication modules, where another module is used to verify user identities, while
pam_authz is used to verify user access rights. pam_authz is intended to be used when the list of
users that are allowed to gain access to a system is a subset of the users that are stored in a large reposi-
tory (such as an LDAP directory server, or other database.)
Because pam_authz provides authorization only, not authentication, it is highly recommended that
pam_authz is set to required in the configuration file (see pam.conf(4)). Typically
pam_authz is
configured as the
first module under the account management section of the /etc/pam.conf
file.
However, for PAM applications that neglect to call the PAM account management procedure,
pam_authz
may also be configured as an authentication module. When
pam_authz is configured as an authentica-
tion module, at least one other PAM module must be set to
required to authenticate a user.
Without the access policy file
/etc/opt/ldapux/pam_authz.policy
, pam_sm_acct_mgmt()
use netgroups (see netgroup(4)) and the /etc/passwd file to determine user access rights, using a
similar syntax as was defined by NIS. However, pam_authz does not support the password entry filter-
ing syntax as defined by NIS, other than to determine if a netgroup member should be granted (or
denied) access based on if the password field is blocked or not.
pam_authz scans the /etc/passwd file for the matching NIS style entry and returns grant or deny
access based on the first rule that matches the account in question. For example, pam_authz will grant
or deny access when the following entries are defined in the /etc/passwd file:
+ Grants access to all the users in the database.
+@name Grants access to all members of the network group name.
+name Grants access to user name.
+@name:any_non_NULL_string
Denies access to all members of the network group name.
+name:* Denies access to user name.
346 Hewlett-Packard Company − 1 − HP-UX 11i Version 3: February 2007