/usr/lib/security/methods.cfg File

Purpose

Contains the information for loadable authentication module configuration.

Description

The /usr/lib/security/methods.cfg file is an ASCII file that contains stanzas with loadable authentication module information. Each stanza is identified by a module name followed by a colon (:) and contains attributes in the form Attribute=Value. Each attribute ends with a new-line character and each stanza ends with an additional new-line character.

The /usr/lib/security/methods.cfg file is a symbolic link to the /etc/methods.cfg file.

Note: If you are using Common Desktop Environment (CDE), you must restart the desktop login manager (dtlogin) for any changes to take effect. Restarting dtlogin will prevent CDE login failure by using the updated security mechanisms. Please read the /usr/dt/README file for more information.

Each stanza can have the following attributes:

Attribute	Description
domain	Specifies a free-format ASCII text string that is used by the loadable authentication module to select a data repository. This attribute is optional.
netgroup	Indicates netgroup enablement for this module. The following behaviors will be turned on: Users defined in the /etc/security/user file as members of the module's registry (for example, having registry=LDAP and SYSTEM=LDAP) will not be able to authenticate as module users. These users will now become nis_module users and will require native NIS netgroup membership. To fully enable nis_module netgroup users, corresponding entries in /etc/security/user must have registry and SYSTEM value removed or set to `compat`. The registry value of `compat` is now supported. However, only nis_module users will show `compat` as their registry. Other users will show their absolute registry value. The meaning of registry=`compat` will be expanded to include modules supporting netgroup. For example, if the LDAP module is netgroup enabled, `compat` will include the following registries: files, NIS and LDAP.
options	Specifies an ASCII text string containing optional values that are passed to the loadable authentication module upon initialization. The supported values for each module are described by the product documentation for that loadable authentication module. The options attribute takes the following pre-defined values: auth=module Specifies the module to be used to perform authentication functions for the current loadable authentication module authonly Indicates that the loadable authentication module only performs authentication operations. User and group information must be provided by a different module, specified by the db= option. If not by a module, then user and group information must be provided by the local files database. db=module Specifies the module to be used for providing user and group information for the current loadable authentication module dbonly Indicates that the loadable authentication module only provides user and group information and does not perform authentication functions. Authentication operations must be performed by a different load module, specified by the auth= option. If the auth= option is not specified, all authentication operations fail. netgroup Indicates netgroup enabling of this module. The following behaviors will be turned on: Users defined in /etc/security/user as members of the module's registry (for example, having registry=LDAP and SYSTEM=LDAP) will not be able to authenticate as module users. These users will now become nis_module users and will require native NIS netgroup membership. To fully enable nis_module netgroup users, corresponding entries in /etc/security/user must have registry and SYSTEM values removed or set to compat. The registry value of compat is now supported, however, only nis_module users will show compat as their registry value. Other users will show their absolute registry value. The meaning of registry compat will be expanded to include modules supporting netgroup. For example, if LDAP module is netgroup-enabled, compat will include the following registries: files, NIS and LDAP. noprompt The initial password prompt for authentication operations is suppressed. The loadable authentication module would then control all password prompting. rootrequiresopw Determines whether the root user is prompted for the old password for this loadable authentication module when changing another user's password. If you want to disable the prompt of the old password, set this option to False. The default value is True.

Attribute

Description

domain

Specifies a free-format ASCII text string that is used by the loadable authentication module to select a data repository. This attribute is optional.

netgroup

Indicates netgroup enablement for this module. The following behaviors will be turned on:

Users defined in the /etc/security/user file as members of the module's registry (for example, having registry=LDAP and SYSTEM=LDAP) will not be able to authenticate as module users. These users will now become nis_module users and will require native NIS netgroup membership. To fully enable nis_module netgroup users, corresponding entries in /etc/security/user must have registry and SYSTEM value removed or set to compat.
The registry value of compat is now supported. However, only nis_module users will show compat as their registry. Other users will show their absolute registry value.
The meaning of registry=compat will be expanded to include modules supporting netgroup. For example, if the LDAP module is netgroup enabled, compat will include the following registries: files, NIS and LDAP.

options

Specifies an ASCII text string containing optional values that are passed to the loadable authentication module upon initialization. The supported values for each module are described by the product documentation for that loadable authentication module.

The options attribute takes the following pre-defined values:

auth=module

Specifies the module to be used to perform authentication functions for the current loadable authentication module

authonly

Indicates that the loadable authentication module only performs authentication operations. User and group information must be provided by a different module, specified by the db= option. If not by a module, then user and group information must be provided by the local files database.

db=module

Specifies the module to be used for providing user and group information for the current loadable authentication module

dbonly

Indicates that the loadable authentication module only provides user and group information and does not perform authentication functions. Authentication operations must be performed by a different load module, specified by the auth= option. If the auth= option is not specified, all authentication operations fail.

netgroup

Indicates netgroup enabling of this module. The following behaviors will be turned on:

Users defined in /etc/security/user as members of the module's registry (for example, having registry=LDAP and SYSTEM=LDAP) will not be able to authenticate as module users. These users will now become nis_module users and will require native NIS netgroup membership. To fully enable nis_module netgroup users, corresponding entries in /etc/security/user must have registry and SYSTEM values removed or set to compat.
The registry value of compat is now supported, however, only nis_module users will show compat as their registry value. Other users will show their absolute registry value.
The meaning of registry compat will be expanded to include modules supporting netgroup. For example, if LDAP module is netgroup-enabled, compat will include the following registries: files, NIS and LDAP.

noprompt

The initial password prompt for authentication operations is suppressed. The loadable authentication module would then control all password prompting.

rootrequiresopw

Determines whether the root user is prompted for the old password for this loadable authentication module when changing another user's password. If you want to disable the prompt of the old password, set this option to False. The default value is True.

Attribute	Description
options (continued)	The options attribute can also use the following predefined values for the KRB5/KRB5A load modules: allow_expired_pwd= [ yes \| true/no \| false ] The possible values for the allow_expired_pwd option follow: No or false Yes or true By default the allow_expired_pwd option is set to no or false. The allow_expired_pwd option enables the AIX® operating system to get the password expiration information by using the Kerberos authentication interfaces. The actual status of the password expiration information is obtained either during the login or by calling the authenticate subroutine and the passwdexpired subroutine. is_kadmind_compat=[ yes \| true/no \| false ] This option is used to indicate which authentication service Kerberos authenticates against. If it is set to yes or true, it authenticates by using the Network Authentication Service (NAS). If it is set to no or false, the environment is set to use the non-AIX services. kadmind=[ yes \| true/no \| false ] The possible values for the kadmind option follow: No or false: Disables the kadmind lookups. Yes or true: Enables the kadmind lookups. The default value is yes. When this option is set to no, the kadmind daemon is not contacted during authentication. Therefore, users can log into the system regardless of the status of the kadmind daemon provided that the user enters the correct password when the system prompts for one. However, the AIX® user administration commands, such as mkuser, chuser, or rmuser, do not work to administrate Kerberos integrated users if the daemon is not available (for example, either the daemon is down or the machine is not accessible). The default value for the kadmind parameter is yes. It means that kadmind lookups are performed during authentication. In the default case, if the daemon is not available, the authentication might take longer. kadmind_timeout=[timeout_value] The kadmind_timeout option is the amount of time in seconds between kadmind connection attempts after an initial timeout. The valid values are from 0 - 300. keep_creds=[ yes/no ] By default, the keep_creds option is set to no. If the keep_creds option is set to yes, every new login generates a new PAG based credential cache file. sync_all=[ yes \| true/no \| false ] This option is used to indicate where the processing of an ALL query is performed, either by the load module or by the security library. If the sync_all option is set to no or false, the load module leaves the task of computing an ALL request to the security library routines. If it is set to yes or true, the principal list is retrieved by the load module. The authentication side of the load module might declare no support for the ALL query. In such a case the security library is still capable of computing an ALL list for the authentication side. It does this by querying the authentication side for each user that it obtained from the database side. The resulting ALL list only contains the users and principals that exist on both sides. The advantage of this is if the number of users are too many, the Kerberos client or server might fail to complete this operation. However, querying one user at a time succeeds. The disadvantage of querying one user at a time is performance. There is a big performance degradation if the users are queried one user at a time by the security library. tgt_verify=[ yes \| true/no \| false ] The possible values for the tgt_verify option follow: No or false: Disables ticket-granting ticket (TGT) verification. Yes or true: Enables TGT verification. By default, the TGT verification is enabled. When the tgt_verify option is set to no, TGT verification is not performed and there is no need to transfer the keys of the host principal keys. This eliminates the need for the keytab file for authentication purposes when the KRB5A module is used. Other Kerberos-enabled applications might require the keytab file for host and service principals.

Attribute

Description

options (continued)

The options attribute can also use the following predefined values for the KRB5/KRB5A load modules:

allow_expired_pwd= [ yes | true/no | false ]

The possible values for the allow_expired_pwd option follow:

No or false
Yes or true

By default the allow_expired_pwd option is set to no or false. The allow_expired_pwd option enables the AIX® operating system to get the password expiration information by using the Kerberos authentication interfaces. The actual status of the password expiration information is obtained either during the login or by calling the authenticate subroutine and the passwdexpired subroutine.

is_kadmind_compat=[ yes | true/no | false ]

This option is used to indicate which authentication service Kerberos authenticates against. If it is set to yes or true, it authenticates by using the Network Authentication Service (NAS). If it is set to no or false, the environment is set to use the non-AIX services.

kadmind=[ yes | true/no | false ]

The possible values for the kadmind option follow:

No or false: Disables the kadmind lookups.
Yes or true: Enables the kadmind lookups.

The default value is yes. When this option is set to no, the kadmind daemon is not contacted during authentication. Therefore, users can log into the system regardless of the status of the kadmind daemon provided that the user enters the correct password when the system prompts for one. However, the AIX® user administration commands, such as mkuser, chuser, or rmuser, do not work to administrate Kerberos integrated users if the daemon is not available (for example, either the daemon is down or the machine is not accessible). The default value for the kadmind parameter is yes. It means that kadmind lookups are performed during authentication. In the default case, if the daemon is not available, the authentication might take longer.

kadmind_timeout=[timeout_value]

The kadmind_timeout option is the amount of time in seconds between kadmind connection attempts after an initial timeout. The valid values are from 0 - 300.

keep_creds=[ yes/no ]

By default, the keep_creds option is set to no. If the keep_creds option is set to yes, every new login generates a new PAG based credential cache file.

sync_all=[ yes | true/no | false ]

This option is used to indicate where the processing of an ALL query is performed, either by the load module or by the security library. If the sync_all option is set to no or false, the load module leaves the task of computing an ALL request to the security library routines. If it is set to yes or true, the principal list is retrieved by the load module. The authentication side of the load module might declare no support for the ALL query. In such a case the security library is still capable of computing an ALL list for the authentication side. It does this by querying the authentication side for each user that it obtained from the database side. The resulting ALL list only contains the users and principals that exist on both sides. The advantage of this is if the number of users are too many, the Kerberos client or server might fail to complete this operation. However, querying one user at a time succeeds. The disadvantage of querying one user at a time is performance. There is a big performance degradation if the users are queried one user at a time by the security library.

tgt_verify=[ yes | true/no | false ]

The possible values for the tgt_verify option follow:

No or false: Disables ticket-granting ticket (TGT) verification.
Yes or true: Enables TGT verification.

By default, the TGT verification is enabled. When the tgt_verify option is set to no, TGT verification is not performed and there is no need to transfer the keys of the host principal keys. This eliminates the need for the keytab file for authentication purposes when the KRB5A module is used. Other Kerberos-enabled applications might require the keytab file for host and service principals.

Attribute	Description
options (continued)	You can only use the auth=module and db=module value strings for complex loadable authentication modules, which may require or be used with another loadable authentication module to provide new functionality. The authonly and dbonly values are invalid for complex modules. You can use the noprompt value for any kind of module.
program	Names the load module containing the executable code that implements the loadable authentication method.
program_64	Names the load module containing the executable code that implements the loadable authentication method for 64-bit processes.

Attribute

Description

options (continued)

You can only use the auth=module and db=module value strings for complex loadable authentication modules, which may require or be used with another loadable authentication module to provide new functionality.

The authonly and dbonly values are invalid for complex modules.

You can use the noprompt value for any kind of module.

program

Names the load module containing the executable code that implements the loadable authentication method.

program_64

Names the load module containing the executable code that implements the loadable authentication method for 64-bit processes.

Security

Access Control: This file should grant read (r) and write (w) access to the root user only and read (r) access to the security group and all other users.

Examples

To indicate that the loadable authentication module is located in the file /usr/lib/security/DCE, enter:
```
program = /usr/lib/security/DCE
```
To indicate that the loadable authentication module only should provide authentication functions, enter:
```
options = authonly
```
The following example contains configuration information for the LDAP simple loadable authentication module:
```
LDAP:
    program = /usr/lib/security/LDAP
    program_64 = /usr/lib/security/LDAP64
```
The "LDAP" stanza gives the name of the module, used by the SYSTEM and registry attributes for a user. The name does not have to be the same as the file name given for the program attribute.
The following example contains configuration information for the KERBEROS complex loadable authentication module:
```
KERBEROS:
    program = /usr/lib/security/KERBEROS
    program_64 = /usr/lib/security/KERBEROS64
    options = authonly,db=LDAP
```
The "KERBEROS" stanza gives the name of the module as used by the SYSTEM and registry attributes for a user. This name does not have to be the same as the name of the file given for the program attribute. The options attribute indicates that the user and group information functions are to be performed by the module described by the "LDAP" stanza (in example 3).

Files

/usr/lib/security/methods.cfg: Specifies the path to the file.
/etc/passwd: Contains basic user attributes.
/etc/security/user: Contains the extended attributes of users.
/usr/dt/README: Contains dtlogin information.