pam_unix(5) pam_unix(5)
NAME [Toc] [Back]
pam_unix - authentication, account, session, and password management
PAM modules for UNIX
SYNOPSIS [Toc] [Back]
/usr/lib/security/$ISA/libpam_unix.so.1
DESCRIPTION [Toc] [Back]
The UNIX service module for PAM,
/usr/lib/security/$ISA/libpam_unix.so.1, provides functionality for
all four PAM modules: authentication, account management, session
management and password management.
The libpam_unix.so.1 module is a shared object that can be dynamically
loaded to provide the necessary functionality upon demand.
For an interpretation of the module path, please refer to the related
information in pam.conf(4).
Unix Authentication Module [Toc] [Back]
The UNIX authentication component provides functions to verify the
identity of a user, (pam_sm_authenticate()) and to set user specific
credentials (pam_sm_setcred()).
pam_sm_authenticate() compares the user entered password (or password
retrieved from the user's smart card) with the password from UNIX
password database, including the protected password database for
trusted systems. If the passwords match, the user is authenticated.
If the user also has secure RPC credentials and the secure RPC
password is the same as the UNIX password, then the secure RPC
credentials are also obtained.
The following options may be passed to the UNIX service module:
debug syslog(3C) debugging information at LOG_DEBUG level.
nowarn Turn off warning messages.
use_first_pass It compares the password in the password database
with the user's initial password (entered when the
user authenticated to the first authentication
module in the stack). If the passwords do not
match, or if no password has been entered, quit and
do not prompt the user for a password. This option
should only be used if the authentication service is
designated as optional in the pam.conf configuration
file.
try_first_pass It compares the password in the password database
with the user's initial password (entered when the
user authenticated to the first authentication
Hewlett-Packard Company - 1 - HP-UX 11i Version 2: Sep 2004
pam_unix(5) pam_unix(5)
module in the stack). If the passwords do not
match, or if no password has been entered, prompt
the user for a password.
use_psd psd stands for personal security device, for the
current implementation there is only one security
device: the smart card. It compares the password in
the password database with the password stored on
the user's smart card. With this option the PAM
Framework prompt "Enter PIN:" is used instead of the
password prompt. This option is only supported
with the authentication or password module types
(auth, password) services in the pam.conf or in the
pam_user.conf configuration files.
When prompting for the current password, the UNIX authentication
module will use the prompt, "Password:" unless one of the following
scenarios occur:
1. The option try_first_pass is specified and the password
entered for the first module in the stack fails for the UNIX
module.
2. The option try_first_pass is not specified, and the earlier
authentication modules listed in the pam.conf file have
prompted the user for the password.
3. The option use_psd is specified. In this case, the UNIX
authentication module will use the prompt "Enter PIN:".
In cases 1 and 2, the UNIX authentication module will use the prompt
"System Password:".
The pam_sm_setcred() function sets user specific credentials. If the
user had secure RPC credentials, but the secure RPC password was not
the same as the UNIX password, then a warning message is printed. If
the user wants to get secure RPC credentials, then keylogin(1) needs
to be run.
Unix Account Management Module [Toc] [Back]
The UNIX account management component provides a function to perform
account management (pam_sm_acct_mgmt()). The function retrieves the
user's password entry from the UNIX password database and verifies
that the user's account and password have not expired. For trusted
systems, this module also validates the allowed access time and access
terminal based upon the security configuration. The following options
may be passed in to the UNIX service module:
debug syslog(3C) debugging information at LOG_DEBUG level.
Hewlett-Packard Company - 2 - HP-UX 11i Version 2: Sep 2004
pam_unix(5) pam_unix(5)
nowarn Turn off warning messages.
Unix Session Management Module [Toc] [Back]
The UNIX session management component provides functions to initiate
(pam_sm_open_session()) and terminate (pam_sm_close_session()) UNIX
sessions. For UNIX, pam_open_session() updates the last successful or
unsuccessful login time in the protected password database for trusted
mode. The account management module reads the information to display
the previous time the user logged in.
pam_open_session() also modifies the umask of the caller to add the
restrictions specified in /etc/default/security. For trusted systems,
the umask is also restricted so as not to exceed SEC_DEFAULT_MODE
defined in /usr/include/hpsecurity.h. Refer to UMASK entry in
security(4).
The following options may be passed in to the UNIX service module:
debug syslog(3C) debugging information at LOG_DEBUG level.
nowarn Turn off warning messages.
pam_close_session is a NULL function.
Unix Password Management Module [Toc] [Back]
The UNIX password management component provides a function to change
passwords (pam_sm_chauthtok()) in the UNIX password database. This
module must be required in pam.conf. It can not be optional or
sufficient. The following options may be passed in to the UNIX
service module:
debug syslog(3C) debugging information at LOG_DEBUG level.
nowarn Turn off warning messages.
use_first_pass It compares the password in the password database
with the user's old password (entered to the first
password module in the stack). If the passwords do
not match, or if no password has been entered, quit
and do not prompt the user for the old password. It
also attempts to use the new password (entered to
the first password module in the stack) as the new
password for this module. If the new password
fails, quit and do not prompt the user for a new
password.
try_first_pass It compares the password in the password database
with the user's old password (entered to the first
password module in the stack). If the passwords do
not match, or if no password has been entered,
prompt the user for the old password. It also
Hewlett-Packard Company - 3 - HP-UX 11i Version 2: Sep 2004
pam_unix(5) pam_unix(5)
attempts to use the new password (entered to the
first password module in the stack) as the new
password for this module. If the new password
fails, prompt the user for a new password.
use_psd It prompts the user for the PIN (with the PIN, the
PAM Framework can retrieve a password from the smart
card) and the old password is retrieved from the
smart card. It compares the password in the password
database with the user's old password. If the
passwords match, it prompts the user for a new
password.
If the user's password has expired, the UNIX account module saves this
information in the authentication handle using pam_set_data(). The
UNIX password module retrieves this information from the
authentication handle using pam_get_data() to determine whether or not
to force the user to update their password.
APPLICATION USAGE [Toc] [Back]
On trusted systems, the pam_sm_*() interfaces implemented in the UNIX
service module, libpam_unix, are not thread-safe. Also they are not
thread-safe if the "database" for passwd or publickey specified in the
name-service switch configuration file, /etc/nsswitch.conf, is
nisplus. Otherwise, they are thread-safe. A cancellation point may
occur while a thread is executing any of these interfaces. They are
not cancel-safe, async-cancel-safe, nor async-signal-safe.
SEE ALSO [Toc] [Back]
keylogin(1), pam(3), pam_authenticate(3), pam_setcred(3), syslog(3C),
nsswitch.conf(4), pam.conf(4), pam_user.conf(4).
Hewlett-Packard Company - 4 - HP-UX 11i Version 2: Sep 2004 [ Back ] |
