https://community.hpe.com/t5/operating-system-hp-ux/pam-error-hpux-11-23-ia64/m-p/4039763#M737992 According to man pam_hpsec, you must use this module at the top of all the modules.<BR /><BR />The use of pam_hpsec is mandatory for services like login, dtlogin, ftp, remsh/rexec and ssh. It is required that these services stack this module on the top of the stack above one or more non-optional modules such as pam_unix, pam_krb5, or pam_ldap. Application writers and system administrators must consider whether it is appropriate to use pam_hpsec for any given application. Wed, 18 Jul 2007 18:14:34 GMT Ivan Ferreira 2007-07-18T18:14:34Z https://community.hpe.com/t5/operating-system-hp-ux/pam-error-hpux-11-23-ia64/m-p/4039761#M737990 Hello,<BR /><BR />I have developed custom PAM module and my pam.conf looks like:<BR />login auth sufficient pam_inhouse.so<BR />login auth required libpam_hpsec.so.1<BR />login auth required libpam_unix.so.1 try_first_pass<BR />(I am using the same for account, session and password stacks)<BR />Though the login is successful with the custom id(pam_inhouse returns success) it is still calling into libpam_hpsec and libpam_unix which will eventually return error and so the login is not successful. Setting "suufcient" control flag for all solves the problem. But as I can understand, that is not really a good solution. Is there any other thing that need to be considered when using libpam_hpsec?(extension provided by HPUX)<BR /><BR />Thannks for your help, Wed, 18 Jul 2007 12:04:10 GMT https://community.hpe.com/t5/operating-system-hp-ux/pam-error-hpux-11-23-ia64/m-p/4039761#M737990 Faizulla 2007-07-18T12:04:10Z https://community.hpe.com/t5/operating-system-hp-ux/pam-error-hpux-11-23-ia64/m-p/4039762#M737991 To add more details-<BR /><BR />The module pam_hpsec is stacked as andatory module above all the modules for making security checks before authentication. <BR />I tried turnig off pam_hpsec like this.<BR /><BR /># Authentication management<BR />#<BR />#login auth required libpam_hpsec.so.1<BR />login auth sufficient pam_inhouse.so<BR />login auth required libpam_unix.so.1 try_first_pass<BR /><BR /><BR />I know this will not give me the additional security extensions provided by hp_sec but some level of isolation of the problem.<BR /> Wed, 18 Jul 2007 12:41:04 GMT https://community.hpe.com/t5/operating-system-hp-ux/pam-error-hpux-11-23-ia64/m-p/4039762#M737991 Faizulla 2007-07-18T12:41:04Z https://community.hpe.com/t5/operating-system-hp-ux/pam-error-hpux-11-23-ia64/m-p/4039763#M737992 According to man pam_hpsec, you must use this module at the top of all the modules.<BR /><BR />The use of pam_hpsec is mandatory for services like login, dtlogin, ftp, remsh/rexec and ssh. It is required that these services stack this module on the top of the stack above one or more non-optional modules such as pam_unix, pam_krb5, or pam_ldap. Application writers and system administrators must consider whether it is appropriate to use pam_hpsec for any given application. Wed, 18 Jul 2007 18:14:34 GMT https://community.hpe.com/t5/operating-system-hp-ux/pam-error-hpux-11-23-ia64/m-p/4039763#M737992 Ivan Ferreira 2007-07-18T18:14:34Z https://community.hpe.com/t5/operating-system-hp-ux/pam-error-hpux-11-23-ia64/m-p/4039764#M737993 Thanks for your reply. Yes, I have gone through the pam_hpsec manual page but I am unable to find out what is that thing making pam_hpsec to be loaded though I use "sufficient" for my inhouse module which I use at the top. When "sufficient" used and "inhouse" module returns true it should not call into pam_hpsec and pam_unix down the stack. I am just wondering if there are any specific settings to be done for pam_hpsec. Has anyone used any "inhouse" module with "pam_hpsec" successfully?<BR /><BR />Thanks for your help, Wed, 18 Jul 2007 22:08:12 GMT https://community.hpe.com/t5/operating-system-hp-ux/pam-error-hpux-11-23-ia64/m-p/4039764#M737993 Faizulla 2007-07-18T22:08:12Z