HP-UX Reference (11i v3 07/02) - 5 Miscellaneous Topics (vol 9)
p
pam_unix(5) pam_unix(5)
NAME
pam_unix - authentication, account, session, and password management PAM modules for UNIX
SYNOPSIS
/usr/lib/security/$ISA/libpam_unix.so.1
DESCRIPTION
The UNIX service module for PAM,
/usr/lib/security/$ISA/libpam_unix.so.1
,provides
functionality for all four PAM modules: authentication, account management, session management and
password management.
The
libpam_unix.so.1
module is a shared object that can be dynamically loaded to provide the neces-
sary functionality upon demand.
For an interpretation of the module path, please refer to the related information in pam.conf(4).
Unix Authentication Module
The UNIX authentication component provides functions to verify the identity of a user,
(
pam_sm_authenticate()
) and to set user specific credentials (pam_sm_setcred()).
pam_sm_authenticate()
compares the user entered password (or password retrieved from the user’s
smart card) with the password from UNIX password database, including the protected password database
for trusted systems. If the passwords match, the user is authenticated. If the user also has secure RPC
credentials and the secure RPC password is the same as the UNIX password, then the secure RPC creden-
tials are also obtained.
The following options may be passed to the UNIX service module:
debug syslog(3C) debugging information at LOG_DEBUG level.
nowarn Turn off warning messages.
use_first_pass
It compares the password in the password database with the user’s initial password
(entered when the user authenticated to the first authentication module in the stack). If
the passwords do not match, or if no password has been entered, quit and do not prompt
the user for a password. This option should only be used if the authentication service is
designated as optional in the pam.conf configuration file.
try_first_pass
It compares the password in the password database with the user’s initial password
(entered when the user authenticated to the first authentication module in the stack). If
the passwords do not match, or if no password has been entered, prompt the user for a
password.
use_psd psd stands for personal security device, for the current implementation there is only one
security device: the smart card. It compares the password in the password database
with the password stored on the user’s smart card. With this option the PAM Frame-
work prompt "Enter PIN:" is used instead of the password prompt. This option is only
supported with the authentication or password module types (auth, password) services
in the
pam.conf or in the pam_user.conf configuration files.
When prompting for the current password, the UNIX authentication module will use the prompt, "Pass-
word:" unless one of the following scenarios occur:
1. The option try_first_pass is specified and the password entered for the first module in the
stack fails for the UNIX module.
2. The option try_first_pass is not specified, and the earlier authentication modules listed in
the pam.conf file have prompted the user for the password.
3. The option use_psd is specified. In this case, the UNIX authentication module will use the
prompt "Enter PIN:".
In cases 1 and 2, the UNIX authentication module will use the prompt "System Password:".
The pam_sm_setcred() function sets user specific credentials. If the user had secure RPC credentials,
but the secure RPC password was not the same as the UNIX password, then a warning message is printed.
If the user wants to get secure RPC credentials, then keylogin(1) needs to be run.
354 Hewlett-Packard Company − 1 − HP-UX 11i Version 3: February 2007