|
|
Sponsored Content
Special Forums
UNIX and Linux Applications
Usermod pam in hpux
Post 302785413 by Linusolaradm1 on Monday 25th of March 2013 03:24:44 PM
03-25-2013
|
|
10 More Discussions You Might Find Interesting
1. UNIX for Dummies Questions & Answers
I'm trying to add an expiration to all of the local logins, but everytime I do the:
usermod -e <date> <login>
command, I get a error msg "usermod error <date> is not a valid expiration date. CHoose another"
I've tried 6/26/06, June 26, 2006, 26/6/06, 6/26/2006 everything I can think of.
... (1 Reply)
Discussion started by: amheck
1 Replies
2. Solaris
Hi, I put an expiration on a few id's that I want to remove now. From the man page
-e expire Specify the future date on which a login can no
longer be used; after this date, no user will be
able to access this login. This option is useful
... (0 Replies)
Discussion started by: amheck
0 Replies
3. UNIX for Dummies Questions & Answers
Hi,
I would need to modify my machine name :
When i give "w" command, i am getting following message
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
krishnag pts/59 gunasekar 1:25pm 25:15 0.03s 0.03s -csh.
My questions is, i need to change FROM (i.e... (1 Reply)
Discussion started by: gun
1 Replies
4. Shell Programming and Scripting
I am running HPUX and using WLM (workload manager). I want to write a script to fork CPUs to basically take CPUs from other servers to show that the communication is working and CPU licensing is working. Basically, I want to build a script that will use up CPU on a server. Any ideas? (2 Replies)
Discussion started by: cpolikowsky
2 Replies
5. Solaris
Hello,
I'm a bit confused by the usage of those two commands. I have 2 freshly installed systems and the behaviour is different from one system to another.
root@systemONE rolemod -G mygroup postgres
UX: rolemod: ERROR: Users most be modified with ``usermod''.
root@systemTWO usermod -G... (6 Replies)
Discussion started by: Tex-Twil
6 Replies
6. Shell Programming and Scripting
Hi;
Im working on HP -UX B.11.11 U 9000/800 , I come from a Linux background and i m not so good at HP UX.Here is the issue
I need to reset the password of some 100 users at one go ,on linux I used to do it.I wrote a small code in linux and it worked a charm
here is the code ,where... (2 Replies)
Discussion started by: maverick_here
2 Replies
7. HP-UX
I'm sharing this in case anybody needs it. Modified from the original solaris pwage script. This modified hpux script will check /etc/password file on hpux trusted systems search /tcb and grep the required u_succhg field. Calculate days to expiry and notify users via email.
original solaris... (2 Replies)
Discussion started by: sparcguy
2 Replies
8. AIX
Hello All,
Could you please let me know if the usermod command works in AIX? If yes, on what versions? We have a situation in which we need to change the UID of few users who have the same UID as root. We have changed it in /etc/passwd for now but want to use usermod in future. The syntax is as... (2 Replies)
Discussion started by: lovesaikrishna
2 Replies
9. SuSE
Hi,
I use a software which can create account on many system or application.
One of resource which is managed by this soft his a server SUSE Linux Enterprise Server 10 (x86_64). patch level 3.
This application which is an IBM application use ssh to launch command to create account in... (3 Replies)
Discussion started by: scabarrus
3 Replies
10. Solaris
i install Solaris 11.2 , Oracle Corporation SunOS 5.11 11.2 April 2015
and make 2 zones for Oracle RAC
non-global zones : rac1, rac2
in zones i create group's and user's
/usr/sbin/groupadd -g 1000 oinstall
/usr/sbin/groupadd -g 1020 asmadmin
/usr/sbin/groupadd -g 1021... (2 Replies)
Discussion started by: penchev
2 Replies
LEARN ABOUT HPUX
pam_krb5
pam_krb5(5) File Formats Manual pam_krb5(5) NAME
pam_krb5 - authentication, account, session and password management modules for Kerberos 5 SYNOPSIS
/usr/lib/security/$ISA/libpam_krb5.so.1 DESCRIPTION
The KRB5 PAM modules allow integration of Kerberos authentication into the system entry services (such as login, using pam.conf(4) configu- ration file. The Kerberos service module for PAM consists of the following three modules: the authentication module, the account management module and the password module. It also provides null functions for session management. All modules are supported through the same dynami- cally loadable library. The KRB5 PAM modules are compatible with MIT Kerberos 5 and Microsoft Windows 2000. Authentication Module The authentication module verifies the user identity and sets the user credentials. It passes the authentication key derived from the user's password to the Kerberos security service. The security service uses the authentication key to verify the user and issues a ticket- granting ticket. The credential management function sets user specific credentials. It stores the credentials in a cache file and exports the environment variable KRB5CCNAME to identify the cache file. The cache file is stored in /tmp/pam_krb5/creds directory. This module cre- ates a unique cache file for every session. The credentials cache should be destroyed by the user at logout with kdestroy(1m). The following options may be passed to the authentication module through pam.conf(4): debug This option allows syslog(3C) debugging information at LOG_DEBUG level. use_first_pass This option allows the initial password (entered when the user is authenticated to the first authentication module in the stack) to authenticate with Kerberos. If the user cannot be authenticated or if this is the first authentication module in the stack, quit without prompting for a password. It is recommended that this option be used only if the authentication mod- ule is designated as optional in the pam.conf(4) configuration file. try_first_pass This option allows the initial password (entered when the user is authenticated to the first authentication module in the PAM stack) to authenticate with Kerberos. If the user cannot be authenticated or if this is the first authentication module in the stack, prompt for a password. forwardable This option allows a ticket-granting ticket with a different network address than the present ticket-granting ticket to be issued to the user. For forwardable tickets to be granted, the user's account in Kerberos must specify that the user can be granted forwardable tickets. renewable=<time> This option allows tickets issued to the user to be renewed. For renewable tickets to be granted, the user's account in Ker- beros must specify that the user can be granted renewable tickets. The renewal time of the ticket-granting ticket is speci- fied by <time>. The form of time is the same as the one in kinit(1m). proxiable This option allows a ticket with a different network address than the present ticket to be issued to the user. For proxiable tickets to be granted, the user's account in Kerberos must specify that the user can be granted proxiable tickets. ignore Returns PAM_IGNORE. Generally this option should not be used. But sometimes it may not be desirable or may not be necessary to authenticate certain users (root, ftp, ...) with Kerberos. In such cases you can use this option in pam_user.conf(4) for per user configuration. It is not recommended for you to use this option in pam.conf(4). See the examples section. Account Management Module The account management module provides a function to perform account management. This function retrieves the user's account and password expiration information from Kerberos database and verifies that they have not expired. The module does not issue any warning if the account or the password is about to expire. The following options can be passed to the Account Management module through pam.conf(4): debug This option allows syslog(3C) debugging information at LOG_DEBUG level. ignore Returns PAM_IGNORE. Generally this option should not be used. But sometimes it may not be desirable or may not be necessary to authenticate certain users (root, ftp, ...) with Kerberos. In such cases you can use this option in pam_user.conf(4) for per user configuration. It is not recommended for you to use this option in pam.conf(4). See the examples section. Password Management Module The password management module provides a function to change passwords in the Kerberos password database. Unlike when changing a Unix pass- word, the password management module will allow any user to change any other's password(if the user knows the other's old password, of course). Also unlike Unix, root is always prompted for the user's old password. The following options can be passed into the password module through the pam.conf(4) file: debug This option allows syslog(3C) debugging information at LOG_DEBUG level. use_first_pass This option allows the initial password (entered when the user is authenticated to the first authentication module in the stack) to authenticate with Kerberos. If the user cannot be authenticated or if this is the first authentication module in the stack, quit without prompting for a password. It is recommended that this option be used only if the authentication mod- ule is designated as optional in the pam.conf(4) configuration file. try_first_pass This option allows the initial password (entered when the user is authenticated to the first authentication module in the PAM stack) to authenticate with Kerberos. If the user cannot be authenticated or if this is the first authentication module in the stack, prompt for a password. ignore Returns PAM_IGNORE. Generally this option should not be used. But sometimes it may not be desirable or may not be necessary to authenticate certain users (root, ftp, ...) with Kerberos. In such cases you can use this option in pam_user.conf(4) for per user configuration. It is not recommended for you to use this option in pam.conf(4). See the examples section. Session Management Module The session management module provides functions to initiate and terminate sessions. Since session management is not defined under Ker- beros, both of these functions simply return PAM_SUCCESS. They are provided only because of the naming conventions for PAM modules. The following options can be passed into the session management module through the pam.conf(4) file: debug This option allows syslog(3C) debugging information at LOG_DEBUG level. ignore Returns PAM_IGNORE. Generally this option should not be used. But sometimes it may not be desirable or may not be necessary to authenticate certain users (root, ftp, ...) with Kerberos. In such cases you can use this option in pam_user.conf(4) for per user configuration. It is not recommended for you to use this option in pam.conf(4). See the examples section. EXAMPLE
Following is a sample configuration in which no authentication is done with Kerberos for root ie. KRB5 PAM module does nothing. It just returns PAM_IGNORE for user root. For every user other than root, it will try to authenticate using Kerberos. If Kerberos succeeds, the user is authenticated. If Kerberos fails to authenticate the user, PAM will try to authenticate via UNIX PAM using same the password. PAM_IGNORE for user root. pam_user.conf: # configuration for user root. KRB5 PAM module uses the # ignore option and returns PAM_IGNORE root auth libpam_krb5.so.1 ignore root password libpam_krb5.so.1 ignore root account libpam_krb5.so.1 ignore root session libpam_krb5.so.1 ignore pam.conf: # For per user configuration the libpam_updbe.so.1 (pam_updbe(5)) module # must be the first module in the stack. If Kerberos authentication # is valid the UNIX authentication function will not be invoked. login auth required libpam_hpsec.so.1 login auth required libpam_updbe.so.1 login auth sufficient libpam_krb5.so.1 login auth required libpam_unix.so.1 try_first_pass login password required libpam_hpsec.so.1 login password required libpam_updbe.so.1 login password required libpam_krb5.so.1 login password required libpam_unix.so.1 try_first_pass login account required libpam_hpsec.so.1 login account required libpam_updbe.so.1 login account required libpam_krb5.so.1 login account required libpam_unix.so.1 login session required libpam_hpsec.so.1 login session required libpam_updbe.so.1 login session required libpam_krb5.so.1 login session required libpam_unix.so.1 NOTES
The use of pam_hpsec is mandatory for services like login, dtlogin, su, ftp, rcomds and sshd (see attached pam.conf). It is required that these services stack this module above one or more additional modules such as pam_unix, pam_kerberos, etc... However, for 'OTHER' services, pam_hpsec is not configured by default. System administrators and application writers must consider whether it is appropriate to use pam_hpsec for any given application. SEE ALSO
pam(3), pam_authenticate(3), pam_setcred(3), syslog(3C), pam.conf(4), pam_user.conf(4), pam_updbe(5), kinit(1m), klist(1m), kdestroy(1m) pam_krb5(5)