PAM loadable authentication module
AIX® security services can be configured to call PAM modules through the use of the existing AIX loadable authentication module framework.
Note: Before AIX 5.3, the PAM loadable authentication module was used to provide PAM authentication
to native AIX applications. Due to differences in the behavior between this solution and a true PAM
solution, the PAM loadable authentication module is no longer the recommended means to provide PAM
authentication to native AIX applications. Instead, the
auth_type
attribute in the
usw stanza of /etc/security/login.cfg should be set to
PAM_AUTH
to enable PAM authentication in AIX. For more information on the
auth_type
attribute, see /etc/security/login.cfg. Use of the PAM
loadable authentication module is still supported, but it is deprecated. You should use the
auth_type
attribute to enable PAM authentication.When the /usr/lib/security/methods.cfg file is set
up correctly, the PAM load module routes AIX security services (passwd, login, and so on) to the PAM
library. The PAM library checks the /etc/pam.conf file to determine which PAM module to use and then makes the corresponding
PAM SPI call. Return values from PAM are mapped to AIX error codes and returned
to the calling program.
This illustration shows the path that an AIX security service call
takes when PAM is configured correctly. The PAM modules shown (pam_krb, pam_ldap, and pam_dce) are listed as examples of third-party solutions.
The PAM load module is installed in the /usr/lib/security directory and is an authentication-only module. The PAM module must
be combined with a database to form a compound load module. The following
example shows the stanzas that could be added to the methods.cfg file to form a compound PAM module with a database called files. The BUILTIN keyword for the db attribute designates the database as UNIX files.
PAM:
program = /usr/lib/security/PAM
PAMfiles:
options = auth=PAM,db=BUILTIN
Creating and modifying users is then performed by using the -R
option with the administration commands and by setting the SYSTEM attribute when a user is created. For example:
mkuser -R PAMfiles SYSTEM=PAMfiles registry=PAMfiles pamuser
This action informs further calls to AIX security services (login, passwd, and so on) to use the
PAM load module for authentication. While the files database
was used for the compound module in this example, other databases,
such as LDAP, can also be used if they are installed. Creating users
as previously described will result in the following mapping of AIX security to PAM API
calls:
AIX PAM API
===== =========
authenticate --> pam_authenticate
chpass --> pam_chauthtok
passwdexpired --> pam_acct_mgmt
passwdrestrictions --> No comparable mapping exists, success returned
Customizing the /etc/pam.conf file allows the PAM API calls to be directed to the desired PAM module for authentication. To further refine the authentication mechanism, stacking can be implemented.
Data prompted for by an AIX security service is passed to PAM through the pam_set_item function because it is not possible to accommodate user dialog from PAM. PAM modules written for integration with the PAM module should retrieve all data with pam_get_item calls and should not attempt to prompt the user to input data because this is handled by the security service.
Loop detection is provided to catch possible configuration errors in which an AIX security service is routed to PAM and then a PAM module in
turn attempts to call the AIX security service to perform
the operation. Detection of this loop event will result in an immediate failure of the intended
operation.
Note: The/etc/pam.conf file should not be written
to make use of the pam_aix module when using PAM integration from an AIX security service to a PAM module because this will result
in a loop condition.