PAM loadable authentication module

Edit online

AIX® security services can be configured to call PAM modules through the use of the existing AIX loadable authentication module framework.

Note: Before AIX 5.3, the PAM loadable authentication module was used to provide PAM authentication to native AIX applications. Due to differences in the behavior between this solution and a true PAM solution, the PAM loadable authentication module is no longer the recommended means to provide PAM authentication to native AIX applications. Instead, the auth_type attribute in the usw stanza of /etc/security/login.cfg should be set to PAM_AUTH to enable PAM authentication in AIX. For more information on the auth_type attribute, see /etc/security/login.cfg. Use of the PAM loadable authentication module is still supported, but it is deprecated. You should use the auth_type attribute to enable PAM authentication.

When the /usr/lib/security/methods.cfg file is set up correctly, the PAM load module routes AIX security services (passwd, login, and so on) to the PAM library. The PAM library checks the /etc/pam.conf file to determine which PAM module to use and then makes the corresponding PAM SPI call. Return values from PAM are mapped to AIX error codes and returned to the calling program.

Figure 1. AIX Security Service to PAM Module Path

This illustration shows the path that an AIX security service call takes when PAM is configured correctly. The PAM modules shown (pam_krb, pam_ldap, and pam_dce) are listed as examples of third-party solutions.

The PAM load module is installed in the /usr/lib/security directory and is an authentication-only module. The PAM module must be combined with a database to form a compound load module. The following example shows the stanzas that could be added to the methods.cfg file to form a compound PAM module with a database called files. The BUILTIN keyword for the db attribute designates the database as UNIX files.

PAM:
        program = /usr/lib/security/PAM

PAMfiles:
        options = auth=PAM,db=BUILTIN

Creating and modifying users is then performed by using the -R option with the administration commands and by setting the SYSTEM attribute when a user is created. For example:

mkuser -R PAMfiles SYSTEM=PAMfiles registry=PAMfiles pamuser

This action informs further calls to AIX security services (login, passwd, and so on) to use the PAM load module for authentication. While the files database was used for the compound module in this example, other databases, such as LDAP, can also be used if they are installed. Creating users as previously described will result in the following mapping of AIX security to PAM API calls:


         AIX                     PAM API
        =====                   =========
        authenticate       -->  pam_authenticate
        chpass             -->  pam_chauthtok
        passwdexpired      -->  pam_acct_mgmt
        passwdrestrictions -->  No comparable mapping exists, success returned

Customizing the /etc/pam.conf file allows the PAM API calls to be directed to the desired PAM module for authentication. To further refine the authentication mechanism, stacking can be implemented.

Data prompted for by an AIX security service is passed to PAM through the pam_set_item function because it is not possible to accommodate user dialog from PAM. PAM modules written for integration with the PAM module should retrieve all data with pam_get_item calls and should not attempt to prompt the user to input data because this is handled by the security service.

Loop detection is provided to catch possible configuration errors in which an AIX security service is routed to PAM and then a PAM module in turn attempts to call the AIX security service to perform the operation. Detection of this loop event will result in an immediate failure of the intended operation.

Note: The/etc/pam.conf file should not be written to make use of the pam_aix module when using PAM integration from an AIX security service to a PAM module because this will result in a loop condition.