pam_aix Module

Purpose

Provides AIX® style authentication, account management, password management, and session management for PAM.

Description

The pam_aix module provides AIX style authentication behaviors to PAM. The module has support for each of the PAM module types - authentication, account management, password management and session management. Each of these types provides full AIX support for users defined in local or remote registries.

Communication from the pam_aix module to the user is handled through the PAM_CONV item, which is set by pam_start or pam_set_item. All messages displayed by pam_aix are AIX messages and are internationalized.

Typical usage for the pam_aix module is to be used as a backup, or "other" service. This way if a specific authentication stack is not defined for a service, local AIX authentication is used. pam_aix should usually be a "required" or "requisite" module. If used for password authentication, pam_aix should be marked as being "required" or "requisite".

# 
# Use AIX system authentication 
# 
OTHER auth      required pam_aix 
OTHER account   required pam_aix 
OTHER session   required pam_aix 
OTHER password  required pam_aix

Attention:

The pam_aix module cannot be used with users who have their SYSTEM or registry user attributes set to use the /usr/lib/security/PAM module. In such case, an authentication loop is created, and the operation fails.
The authentication fails if the pam_aix module is called from a nonroot user, and the program does not have the setuid bit set.

Supported PAM module types

Authentication: Authenticates a user through their AIX password.
Account Management: Verifies that an authenticated user is permitted onto the system and checks for expired passwords. Checks are performed through use of the passwdexpired() and loginrestrictions() subroutines.
Session Management: Opens a new session and logs the session information.
Password Management: Allows a user to set or modify their AIX password if it is possible. pam_aix will then update the user's password entry in the appropriate password table. When pam_aix is used for password management, it should be used as "required" or "requisite".

Options

The pam_aix module accepts the following parameters specified as options in the PAM configuration file:

Item	Description
debug	Log debugging information to syslog.
mode	Specifying the mode option for a service allows the login restrictions checks to be customized as needed for a PAM service. The value specified for mode can be one of the following strings: S_DAEMON S_LOGIN S_RLOGIN S_SU S_DIST_CLNT S_DIST_SERV The checks performed by each mode are defined in the loginrestrictions subroutine man page. If the option is not specified, then a mode of 0 is passed into the subsequent loginrestrictions invocation. This option is only valid for the Authentication and Account Management module types.
nowarn	Do not display warning messages.
no_pwd_ck	Do not check for password expiration.
use_first_pass	Use a previously entered password, do not prompt for a new one.
try_first_pass	Try a previously entered password. If it fails, prompt for a new one.
use_new_state	AIX builds and maintains state information when authenticating a user. By default, the pam_aix module will use the same state information throughout a PAM session. This can produce results that are correct in terms of AIX authentication but are unexpected within the PAM framework. For example, pam_authenticate requests may fail due to access restrictions. If this behavior is not desired for a given module type, specify the use_new_state option to use new state information for each invocation.

Return Values

Upon successful completion the pam_aix module returns PAM_SUCCESS. If a failure occurs a PAM error code will be returned, depending on the actual error.

Location

/usr/lib/security/pam_aix

/usr/lib/security/64