pam_hpsec(5)

NAME

pam_hpsec — extended authentication, account, password, and session service module for HP-UX

SYNOPSIS

/usr/lib/security/$ISA/libpam_hpsec.so.1

DESCRIPTION

The hpsec service module implements extensions specific to HP-UX for authentication, account management, password management, and session management.

The use of pam_hpsec is mandatory for services like login, dtlogin, ftp, su, remsh/rexec and ssh. It is required that these services stack this module on the top of the stack above one or more non-optional modules such as pam_unix, pam_krb5, or pam_ldap. Application writers and system administrators must consider whether it is appropriate to use pam_hpsec for any given application. This module is specific to HP-UX, and the functionality may vary significantly between releases.

For an interpretation of the module path, please refer to the related information in pam.conf(4).

Options

The following options may be passed to the hpsec service module for all the components:

debug: syslog(3C) debugging information at LOG_DEBUG.
nowarn: Turns off warning messages.
opaque: With this option, pam_hpsec returns PAM_SUCCESS upon success. Without this option, the module returns PAM_IGNORE upon success (which simplifies the PAM configuration).

Authentication Component

The hpsec authentication component provides management of credentials specific to HP-UX. In the future, this component may also implement additional HP-UX specific authentication restrictions in addition to the credential management.

Currently, this component initializes audit attributes for the session. In addition to the options listed in the Options section, the following options may also be passed to the module for authentication.

bypass_setaud: With this option, pam_hpsec does not initialize audit attributes for the session. This option requires that the TrustedMigration product is installed. This option is supported solely to maintain su(1) backward compatible behavior when pam_hpsec is configured with su(1). It is recommended that this option not be applied to other services.
bypass_all: With this option, pam_hpsec ignores the restrictions or features that this module would otherwise enforce. This option requires that the TrustedMigration product is installed.

Note that other common UNIX credentials such as uid, gid, and supplemental group membership are not managed by any PAM module. The application performing the authentication is expected to grant these credentials (these credentials must be granted after calling pam_open_session(3)) using the setuid(2) and initgroups(3C) types of calls.

Account Management Component

If the TrustedMigration product is not installed, this component unconditionally succeeds. If the TrustedMigration product is installed, this component implements the AUTH_MAXTRIES and LOGIN_TIMES restrictions described in security(4). In addition to the options listed in the Options section, the following options may also be passed to the module for account management.

bypass_maxtries: With this option, pam_hpsec ignores the AUTH_MAXTRIES restriction. This option requires that the TrustedMigration product is installed.
bypass_login_times: With this option, pam_hpsec ignores the LOGIN_TIMES restriction. This option requires that the TrustedMigration product is installed.
bypass_all: With this option, pam_hpsec ignores the restrictions or features that this module would otherwise enforce. This option requires that the TrustedMigration product is installed.

Password Management Component

This component unconditionally succeeds.

Session Management Component

This component implements many miscellaneous restrictions such as NOLOGIN, NUMBER_OF_LOGINS_ALLOWED, and UMASK documented in security(4). If the TrustedMigration product is installed, this component also implements the DISPLAY_LAST_LOGIN feature described in security(4). In addition to the options listed in the Options section, the following options may also be passed to the module for session management.

bypass_nologin: With this option, pam_hpsec ignores the NOLOGIN setting.
bypass_limit_login: With this option, pam_hpsec ignores the NUMBER_OF_LOGINS_ALLOWED setting.
bypass_umask: With this option, pam_hpsec ignores the UMASK setting.
bypass_last_login: With this option, pam_hpsec ignores the DISPLAY_LAST_LOGIN setting. This option requires that the TrustedMigration product is installed.
bypass_all: With this option, pam_hpsec ignores the restrictions or features that this module would otherwise enforce.

EXAMPLES

The following is an example of stacking using the pam_hpsec module:

login session required    pam_hpsec.so.1
login session sufficient  pam_unix.so.1
login session sufficient  pam_ldap.so.1
login session sufficient  pam_krb5.so.1

The above rules state that the login's session management requires at least any one of UNIX, LDAP, and Kerberos PAM modules in addition to hpsec.

AUTHOR

pam_hpsec was developed by HP.