Conditions for using PAM

The PAM authentication and querying the UNIX system's password database(s) require specific privileges from the calling process. Therefore, the sagssxauthd2 module must be owned by the root user. It must reside on a file system which is not mounted with the nosuid option and the setuid file attribute must be enabled (the file access rights should look like -rwsr-xr-x ... root ... sagssxauthd2). The module is typically installed into the directory: /opt/softwareag/common/security/ssx/auth.

A PAM service ssxsrv has to be defined. In a Linux system, it is usually made available by copying the default configuration from /opt/softwareag/common/security/ssx/etc/ssxsrv.pamd into the respective system's directory as /etc/pam.d/ssxsrv. For other systems, you may need to add a corresponding entry to the central PAM configuration in /etc/pam.conf.

Before the service can be used, it needs to be configured according to your system's usage of PAM. Depending on your needs and your system's configuration, you may follow the example of the password-auth, common-auth, sshd or login PAM services.

If any of the listed conditions is not met, an error can occur. In this case, it is important to double-check the status of the sagssxauthd2 module. You may also want to contact IBM support for further assistance; in this case, you should also create an SSX trace to be sent to support.

Another source of failure is using an unsupported password hash algorithm for comparing the passwords returned by the operating system. SSX currently supports the following hash algorithms:

• MD5 ($1$)
• Long Blowfish ($2a$)
• BCrypt ($2y$)
• Short Blowfish ($2$)
• SHA-256 ($5$)
• SHA-512 ($6$)
• DES