pam_hpsec(5) pam_hpsec(5)
NAME [Toc] [Back]
pam_hpsec - extended authentication, account, password, and session
service module for HP-UX
SYNOPSIS [Toc] [Back]
/usr/lib/security/$ISA/libpam_hpsec.so.1
DESCRIPTION [Toc] [Back]
The pam_hpsec service module implements extensions specific to HP-UX
for authentication, account management, password management, and
session management.
The use of pam_hpsec is mandatory for services like login, dtlogin,
ftp, remsh/rexec and ssh. It is required that these services stack
this module on the top of the stack above one or more non-optional
modules such as pam_unix, pam_krb5, or pam_ldap. Application writers
and system administrators must consider whether it is appropriate to
use pam_hpsec for any given application. This module is specific to
HP-UX, and the functionality may vary significantly between releases.
For an interpretation of the module path, please refer to the related
information in pam.conf(4).
Options [Toc] [Back]
The following options may be passed to the module for all the
components:
debug syslog(3C) debugging information at LOG_DEBUG.
nowarn Turns off warning messages.
opaque With this option, pam_hpsec returns PAM_SUCCESS upon
success. Without this option, the module returns
PAM_IGNORE upon success (which simplifies the PAM
configuration).
Authentication Component [Toc] [Back]
The hpsec authentication component provides management of credentials
specific to HP-UX. In the future, this component may also implement
additional HP-UX specific authentication restrictions in addition to
the credential management.
Currently, this component initializes audit attributes for the
session.
Note that other common UNIX credentials such as uid, gid, and
supplemental group membership are not managed by any PAM module.
The application performing the authentication is expected to
grant these credentials (these credentials must be granted after
calling pam_open_session(3)) using the setuid(2) and
initgroups(3C) types of calls.
Hewlett-Packard Company - 1 - HP-UX 11i Version 2: Sep 2004
pam_hpsec(5) pam_hpsec(5)
Account Management Component [Toc] [Back]
This component unconditionally succeeds.
Password Management Component [Toc] [Back]
This component unconditionally succeeds.
Session Management Component [Toc] [Back]
This component implements many miscellaneous restrictions such as
NOLOGIN, NUMBER_OF_LOGINS_ALLOWED, and UMASK documented in
security(4). In addition to the options listed in the option section,
the following options may also be passed to the module for session
management.
bypass_nologin With this option, pam_hpsec ignores NOLOGIN
setting in the /etc/default/security file.
bypass_limit_login With this option, pam_hpsec ignores the
NUMBER_OF_LOGINS_ALLOWED setting in the
/etc/default/security file.
bypass_umask With this option, pam_hpsec ignores the UMASK
setting in the /etc/default/security file.
bypass_all With this option, pam_hpsec enforces none of the
optional security restrictions that this module
would otherwise enforce.
EXAMPLES [Toc] [Back]
The following is an example of stacking using the pam_hpsec module:
login session required pam_hpsec.so.1
login session sufficient pam_unix.so.1
login session sufficient pam_ldap.so.1
login session sufficient pam_krb5.so.1
The above rules state that the login's session management requires at
least any one of Unix, LDAP, and kerberos pam modules in addition to
hpsec.
AUTHOR [Toc] [Back]
pam_hpsec was developed by HP.
SEE ALSO [Toc] [Back]
pam(3), pam_open_session(3), pam.conf(4), security(4).
Hewlett-Packard Company - 2 - HP-UX 11i Version 2: Sep 2004 [ Back ] |
