Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: PAM settings.
Operating Systems Solaris PAM settings. Post 302310133 by Perderabo on Thursday 23rd of April 2009 08:31:46 PM
Old 04-23-2009
I'm not a pam expert either. But a quick shot in the dark:
Code:
# login service (explicit because of pam_dial_auth)
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth sufficient pam_krb5.so.1
login auth required pam_unix_auth.so.1
login auth required pam_dial_auth.so.1

 

10 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

PAM Vs Trusted mode in HP-UX

Hi All, Some questions on PAM (Pluggable Authentication Modulues) and Trusted mode in HP-UX. As default, when I turn on trusted mode (need shadow password only), the PAM is atomatically installed(not sure the word "installed" is appropriate or not). Can we turn on the trusted mode only,... (0 Replies)
Discussion started by: wilsonchan1000
0 Replies

2. Programming

PAM Authentication Sample

Hi, I am a Linux / Unix newbie c programmer. I have a c/c++ daemon server that will receive authentication (userid / password) from a windows client. All I want to do is authenticate the user via PAM API - i.e. user must exist on the Unix / Linux system + password must be validated. ... (1 Reply)
Discussion started by: vineshp
1 Replies

3. AIX

PAM in aix 5.2

After enabling PAm , passwd command does not work properly error in passwd # passwd pamuser Changing password for "pamuser" pamuser's New password: Enter the new password again: 3004-709 Error changing password for "pamuser". ... (0 Replies)
Discussion started by: ayeshaseerin
0 Replies

4. UNIX for Advanced & Expert Users

Pam configuration

I have suse (SLES 9) machine,I would like to know how to creat a PAM configure file for ldap authentication and loading it using a "config" argument to pam_ldap.so Thanks for your help (0 Replies)
Discussion started by: hassan1
0 Replies

5. AIX

PAM and aix

Does any one know how to get aix 5.3 pam working .. Is there any pathc to make it work (0 Replies)
Discussion started by: ayeshaseerin
0 Replies

6. UNIX for Dummies Questions & Answers

reread pam configuration

Hi. i am on solaris. I have changed pam configuration. Do i need to let pam re-read its configuration again? If so, how can i do it? ps -ef | grep -i pam, returns no hits. Rgds (0 Replies)
Discussion started by: yls177
0 Replies

7. UNIX for Advanced & Expert Users

PAM authentication.

I have applied pam authentication for local users as highlighted in below file. # cat /etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so... (0 Replies)
Discussion started by: pinga123
0 Replies

8. Ubuntu

PAM, set_rlimits

I have installed a real time kernel on ubuntu, Now, I don't know how to run in real time mode. I tried to execute commands and like emerge, PAM and alike but none were found. Then I installed set_rlimits package, it is installed. I need a real time server, but in the tutorial it tries to run PAM... (2 Replies)
Discussion started by: dr_mabuse
2 Replies

9. SuSE

PAM password change failed, pam error 20

Hi, I use a software which can create account on many system or application. One of resource which is managed by this soft his a server SUSE Linux Enterprise Server 10 (x86_64). patch level 3. This application which is an IBM application use ssh to launch command to create account in... (3 Replies)
Discussion started by: scabarrus
3 Replies

10. SuSE

Authentication with PAM

Hello all, I recently updated PAM policy files (pam_authz.policy) on HP-UX Servers with AD groups involving allowing and denying the certain groups.. Could anyone tell me what is the equivalent mechanism in SLES(Linux)? Is it possible to allow/deny AD group access with the SLES LDAP... (0 Replies)
Discussion started by: lcclaj0
0 Replies

LEARN ABOUT OPENSOLARIS

pam_krb5_migrate

pam_krb5_migrate(5)					Standards, Environments, and Macros				       pam_krb5_migrate(5)

NAME

       pam_krb5_migrate - authentication PAM module for the KerberosV5 auto-migration of users feature

SYNOPSIS

       /usr/lib/security/pam_krb5_migrate.so.1

DESCRIPTION

       The KerberosV5 auto-migrate service module for PAM provides functionality for the PAM authentication component. The service module helps in
       the automatic migration of PAM_USER to the client's local Kerberos realm, using PAM_AUTHTOK (the PAM authentication token  associated  with
       PAM_USER) as the new Kerberos principal's password.

   KerberosV5 Auto-migrate Authentication Module
       The  KerberosV5 auto-migrate authentication component provides the pam_sm_authenticate(3PAM) function to migrate a user who does not have a
       corresponding krb5 principal account to the default Kerberos realm of the client.

       pam_sm_authenticate(3PAM) uses a host-based client service principal, present in the local keytab (/etc/krb5/krb5.keytab)  to  authenticate
       to  kadmind(1M) (defaults to the host/nodename.fqdn service principal), for the principal creation operation. Also, for successful creation
       of the krb5 user principal account, the host-based client service principal being used needs to be assigned the	appropriate  privilege	on
       the  master  KDC's kadm5.acl(4) file. kadmind(1M) checks for the appropriate privilege and validates the user password using PAM by calling
       pam_authenticate(3PAM) and pam_acct_mgmt(3PAM) for the k5migrate service.

       If migration of the user to the KerberosV5 infrastructure is successful, the module will inform users about it by means of a  PAM_TEXT_INFO
       message, unless instructed otherwise by the presence of the quiet option.

       The  authentication  component  always returns PAM_IGNORE and is meant to be stacked in pam.conf with a requirement that it be listed below
       pam_authtok_get(5) in the authentication stack. Also, if pam_krb5_migrate is used in the authentication stack of a particular  service,	it
       is mandatory that pam_krb5(5) be listed in the PAM account stack of that service for proper operation (see EXAMPLES).

OPTIONS

       The following options can be passed to the KerberosV5 auto-migrate authentication module:

       debug

	   Provides syslog(3C) debugging information at LOG_DEBUG level.

       client_service=<service name>

	   Name  of  the service used to authenticate to kadmind(1M) defaults to host. This means that the module uses host/<nodename.fqdn> as its
	   client service principal name, KerberosV5 user principal creation operation or <service>/<nodename.fqdn> if this option is provided.

       quiet

	   Do not explain KerberosV5 migration to the user.

	   This has the same effect as passing the PAM_SILENT flag to pam_sm_authenticate(3PAM) and is useful  where  applications  cannot  handle
	   PAM_TEXT_INFO messages.

	   If  not  set,  the  authentication component will issue a PAM_TEXT_INFO message after creation of the Kerberos V5 principal, indicating
	   that it has done so.

       expire_pw

	   Causes the creation of KerberosV5 user principals with password expiration set to now (current time).

EXAMPLES

       Example 1 Sample Entries from pam.conf

       The following entries from pam.conf(4) demonstrate the use of the pam_krb5_migrate.so.1 module:

	 login	     auth requisite	     pam_authtok_get.so.1
	 login	     auth required	     pam_dhkeys.so.1
	 login	     auth required	     pam_unix_cred.so.1
	 login	     auth sufficient	     pam_krb5.so.1
	 login	     auth requisite	     pam_unix_auth.so.1
	 login	     auth optional	     pam_krb5_migrate.so.1 expire_pw
	 login	     auth required	     pam_dial_auth.so.1

	 other	 account requisite	 pam_roles.so.1
	 other	 account required	 pam_krb5.so.1
	 other	 account required	 pam_unix_account.so.1

       The pam_krb5_migrate module can generally be present on the authentication stack of any service where the application calls  pam_sm_authen-
       ticate(3PAM)  and  an authentication token (in the preceding example, the authentication token would be the user's Unix password) is avail-
       able for use as a Kerberos V5 password.

       Example 2 Sample Entries from kadm5.acl

       The following entries from kadm5.acl(4) permit or deny privileges to the host client service principal:

	 host/*@ACME.COM U root
	 host/*@ACME.COM ui *

       The preceding entries permit the pam_krb5_migrate add privilege to the host client service principal of any machine in  the  ACME.COM  Ker-
       berosV5 realm, but denies the add privilege to all host service principals for addition of the root user account.

       Example 3 Sample Entries in pam.conf of the Master KDC

       The  entries  below  enable  kadmind(1M)  on  the  master KDC to use the k5migrate PAM service in order to validate Unix user passwords for
       accounts that require migration to the Kerberos realm.

	 k5migrate	  auth	  required	  pam_unix_auth.so.1
	 k5migrate	  account required	  pam_unix_account.so.1

ATTRIBUTES

       See attributes(5) for a description of the following attribute:

       +-----------------------------+-----------------------------+
       |      ATTRIBUTE TYPE	     |	    ATTRIBUTE VALUE	   |
       +-----------------------------+-----------------------------+
       |Interface Stability	     |Evolving			   |
       +-----------------------------+-----------------------------+

SEE ALSO

       kadmind(1M), syslog(3C), pam_authenticate(3PAM), pam_acct_mgmt(3PAM), pam_sm_authenticate(3PAM), kadm5.acl(4), pam.conf(4),  attributes(5),
       pam_authtok_get(5), pam_krb5(5)

SunOS 5.11							    Jul 29 2004 					       pam_krb5_migrate(5)
All times are GMT -4. The time now is 03:32 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy