HPE Community
Operating System - HP-UX
1826428 Members
3932 Online
109692 Solutions
New Discussion

Re: PAM error - HPUX 11.23 IA64

 
Faizulla
Occasional Advisor

‎07-18-2007 05:04 AM

‎07-18-2007 05:04 AM

PAM error - HPUX 11.23 IA64

Hello,

I have developed custom PAM module and my pam.conf looks like:
login auth sufficient pam_inhouse.so
login auth required libpam_hpsec.so.1
login auth required libpam_unix.so.1 try_first_pass
(I am using the same for account, session and password stacks)
Though the login is successful with the custom id(pam_inhouse returns success) it is still calling into libpam_hpsec and libpam_unix which will eventually return error and so the login is not successful. Setting "suufcient" control flag for all solves the problem. But as I can understand, that is not really a good solution. Is there any other thing that need to be considered when using libpam_hpsec?(extension provided by HPUX)

Thannks for your help,
0 Kudos
Reply
3 REPLIES 3
Faizulla
Occasional Advisor

‎07-18-2007 05:41 AM

‎07-18-2007 05:41 AM

Re: PAM error - HPUX 11.23 IA64

To add more details-

The module pam_hpsec is stacked as andatory module above all the modules for making security checks before authentication.
I tried turnig off pam_hpsec like this.

# Authentication management
#
#login auth required libpam_hpsec.so.1
login auth sufficient pam_inhouse.so
login auth required libpam_unix.so.1 try_first_pass


I know this will not give me the additional security extensions provided by hp_sec but some level of isolation of the problem.
0 Kudos
Reply
Ivan Ferreira
Honored Contributor

‎07-18-2007 11:14 AM

‎07-18-2007 11:14 AM

Re: PAM error - HPUX 11.23 IA64

According to man pam_hpsec, you must use this module at the top of all the modules.

The use of pam_hpsec is mandatory for services like login, dtlogin, ftp, remsh/rexec and ssh. It is required that these services stack this module on the top of the stack above one or more non-optional modules such as pam_unix, pam_krb5, or pam_ldap. Application writers and system administrators must consider whether it is appropriate to use pam_hpsec for any given application.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
0 Kudos
Reply
Faizulla
Occasional Advisor

‎07-18-2007 03:08 PM

‎07-18-2007 03:08 PM

Re: PAM error - HPUX 11.23 IA64

Thanks for your reply. Yes, I have gone through the pam_hpsec manual page but I am unable to find out what is that thing making pam_hpsec to be loaded though I use "sufficient" for my inhouse module which I use at the top. When "sufficient" used and "inhouse" module returns true it should not call into pam_hpsec and pam_unix down the stack. I am just wondering if there are any specific settings to be done for pam_hpsec. Has anyone used any "inhouse" module with "pam_hpsec" successfully?

Thanks for your help,
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.