pam_aix Module

Purpose

Provides AIX® style authentication, account management, password management, and session management for PAM.

Description

The pam_aix module provides AIX style authentication behaviors to PAM. The module has support for each of the PAM module types - authentication, account management, password management and session management. Each of these types provides full AIX support for users defined in local or remote registries.

Communication from the pam_aix module to the user is handled through the PAM_CONV item, which is set by pam_start or pam_set_item. All messages displayed by pam_aix are AIX messages and are internationalized.

Typical usage for the pam_aix module is to be used as a backup, or "other" service. This way if a specific authentication stack is not defined for a service, local AIX authentication is used. pam_aix should usually be a "required" or "requisite" module. If used for password authentication, pam_aix should be marked as being "required" or "requisite".
# 
# Use AIX system authentication 
# 
OTHER auth      required pam_aix 
OTHER account   required pam_aix 
OTHER session   required pam_aix 
OTHER password  required pam_aix
Attention:
  • The pam_aix module cannot be used with users who have their SYSTEM or registry user attributes set to use the /usr/lib/security/PAM module. In such case, an authentication loop is created, and the operation fails.
  • The authentication fails if the pam_aix module is called from a nonroot user, and the program does not have the setuid bit set.

Supported PAM module types

Authentication
Authenticates a user through their AIX password.
Account Management
Verifies that an authenticated user is permitted onto the system and checks for expired passwords. Checks are performed through use of the passwdexpired() and loginrestrictions() subroutines.
Session Management
Opens a new session and logs the session information.
Password Management
Allows a user to set or modify their AIX password if it is possible. pam_aix will then update the user's password entry in the appropriate password table. When pam_aix is used for password management, it should be used as "required" or "requisite".

Options

The pam_aix module accepts the following parameters specified as options in the PAM configuration file:
Item Description
debug Log debugging information to syslog.
mode Specifying the mode option for a service allows the login restrictions checks to be customized as needed for a PAM service. The value specified for mode can be one of the following strings:
  • S_DAEMON
  • S_LOGIN
  • S_RLOGIN
  • S_SU
  • S_DIST_CLNT
  • S_DIST_SERV
The checks performed by each mode are defined in the loginrestrictions subroutine man page. If the option is not specified, then a mode of 0 is passed into the subsequent loginrestrictions invocation. This option is only valid for the Authentication and Account Management module types.
nowarn Do not display warning messages.
no_pwd_ck Do not check for password expiration.
use_first_pass Use a previously entered password, do not prompt for a new one.
try_first_pass Try a previously entered password. If it fails, prompt for a new one.
use_new_state AIX builds and maintains state information when authenticating a user. By default, the pam_aix module will use the same state information throughout a PAM session. This can produce results that are correct in terms of AIX authentication but are unexpected within the PAM framework. For example, pam_authenticate requests may fail due to access restrictions. If this behavior is not desired for a given module type, specify the use_new_state option to use new state information for each invocation.

Return Values

Upon successful completion the pam_aix module returns PAM_SUCCESS. If a failure occurs a PAM error code will be returned, depending on the actual error.

Location

/usr/lib/security/pam_aix

/usr/lib/security/64