HP-UX Reference (11i v3 07/02) - 5 Miscellaneous Topics (vol 9)

ManualsBrandsHP ManualsSoftwareHP-UX Reference Manuals

341

342

343

344

345

346

347

348

349

350

pam_hpsec(5) pam_hpsec(5)

NAME

pam_hpsec - extended authentication, account, password, and session service module for HP-UX

SYNOPSIS

/usr/lib/security/$ISA/libpam_hpsec.so.1

DESCRIPTION

The hpsec service module implements extensions speciﬁc to HP-UX for authentication, account manage-

ment, password management, and session management.

The use of pam_hpsec is recommended for all services, and is mandatory for some services such as

remsh/rexec and ssh. Application writers and system administrators

may decide that it is inappropriate to use

pam_hpsec for some speciﬁc applications. When the

pam_hpsec module is present on the stack, it must be on the top of the stack, above other modules such

as pam_unix, pam_krb5,orpam_ldap. This module is speciﬁc to HP-UX, and the functionality may

vary signiﬁcantly between releases.

For an interpretation of the module path, please refer to the related information in pam.conf(4).

Options

The following options may be passed to the

hpsec service module for all the components:

debug syslog(3C) debugging information at LOG_DEBUG.

nowarn Turns off warning messages.

opaque With this option, pam_hpsec returns PAM_SUCCESS upon success.

Without this option, the module returns PAM_IGNORE upon success (which

simpliﬁes the PAM conﬁguration).

Authentication Component

The hpsec authentication component provides management of credentials speciﬁc to HP-UX. In the

future, this component may also implement additional HP-UX speciﬁc authentication restrictions in addi-

tion to the credential management.

Currently, this component initializes audit attributes for the session. In addition to the options listed in the

Options section, the following options may also be passed to the module for authentication.

bypass_setaud With this option, pam_hpsec

does not initialize audit attributes for the ses-

sion. This option is supported solely to maintain su(1) backward compatible

behavior when

pam_hpsec is conﬁgured with su(1). It is recommended that

this option not be applied to other services.

bypass_all With this option, pam_hpsec ignores the restrictions or features that this

module would otherwise enforce.

Note that other common UNIX credentials such as uid, gid, and supplemental group membership are not

managed by any PAM module. The application performing the authentication is expected to grant these

credentials (these credentials must be granted after calling pam_open_session(3)) using the setuid(2) and

initgroups(3C) types of calls.

Account Management Component

This component implements the

AUTH_MAXTRIES and LOGIN_TIMES restrictions described in secu-

rity(4). In addition to the options listed in the Options section, the following options may also be passed to

the module for account management.

bypass_maxtries With this option, pam_hpsec ignores the AUTH_MAXTRIES

restriction.

bypass_login_times With this option, pam_hpsec ignores the LOGIN_TIMES restriction.

bypass_all With this option, pam_hpsec ignores the restrictions or features that this

module would otherwise enforce.

Password Management Component

This component unconditionally succeeds.

350 Hewlett-Packard Company − 1 − HP-UX 11i Version 3: February 2007