 |
» |
|
|
|
|  | |
The HP-UX PAM RADIUS A.01.00 software supports the following modules: The following sections discuss these modules in detail. Authentication Module | |
The HP-UX PAM RADIUS authentication module provides the following functions: The pam_sm_authenticate()() function, which verifies the identity of a user against the RADIUS server The pam_sm_setcred()() function, which sets user credentials
The following options to the HP-UX PAM RADIUS authentication module can be set in the /etc/pam.conf file. - debug
This option enables syslog(3C) to log debugging information at LOG_DEBUG level. - use_first_pass
This option allows the initial password (entered when the user is authenticated to the first authentication module in the stack) to authenticate with the RADIUS server. If the user cannot be authenticated, or if this is the first authentication module in the stack, HP-UX PAM RADIUS quits without prompting the user for a password. HP recommends that this option be used only if the authentication module is designated as optional in the /etc/pam.conf configuration file. - try_first_pass
This option allows the initial password (entered when the user is authenticated to the first authentication module in the PAM stack) to authenticate with the RADIUS server. If the user cannot be authenticated, or if this is the first authentication module in the stack, HP-UX PAM RADIUS prompts the user for a password. - default_realm=<realm name>
This option enables sending a configured realm name along with <user name> to the RADIUS server. The <user name> and configured <realm name> are combined as <user name>@<realm name> and sent in the User-Name RADIUS attribute to the RADIUS server. - skip_passwd
This option enables HP-UX PAM RADIUS to authenticate users without prompting for a password, even if no password is retrieved from a previous module. HP-UX PAM RADIUS sends a previous password if it exists. If the previous password does not exist, it sends a NULL password. If authentication fails, the authentication module exits with PAM_ERROR. If an Access-Challenge message is returned, HP-UX PAM RADIUS displays the Access-Challenge message, and prompts the user for a response and returns success or failure as appropriate. The password sent to the next authentication module is not the response to the challenge. If a password from a previous authentication module exists, it is passed to the next authentication module. Otherwise, no password is sent to the next module. - conf=<filename>
This option enables configuring a different filename for the RADIUS server configuration file. The default configuration file is /etc/raddb/server. For information on the syntax of the configuration file, see the /etc/raddb/server.sample sample configuration file. - client_id=<clientID>
This option enables configuring a NAS-Identifier RADIUS attribute with the <clientID> string instead of the standard PAM service name (such as login and su ) . You can disable this option by using a blank value for client_id, for example 'client_id='. - retry=<retrycount>
This option allows <retrycount> number of authentication attempts before continuing to the next configured RADIUS server. - ruser
This option uses the value of PAM_RUSER instead of PAM_USER, to determine the user name to authenticate using RADIUS. This option is valid only if PAM_USER is root. - localifdown
This option prompts HP-UX PAM RADIUS to return PAM_IGNORE instead of PAM_AUTHINFO_UNAVAIL, if RADIUS authentication fails because of network unavailability. PAM_IGNORE prompts the PAM engine to continue down the stack regardless of the control option used.
The following options have been added to support OTP authentication: - recv_authtok=<tokentype>
This option informs the module about the authentication token that was set as PAM_AUTHTOK item_type in the PAM handle by the previous module. Following are the valid values for <tokentype>: - Password
The previous module had set password as the authentication token. This is the default value, if this option is not set, or if an invalid value is set. - Otp
The previous module had set OTP as the authentication token. - PasswordOtp
The previous module had set password appended with OTP as the authentication token.
Usage when use_first_pass is set: If the option set here (for example, Password) is not consistent with rad_authtok (for example, Otp), then the module fails to authenticate the user. If rad_authtok=PasswordOtp, and recv_authtok=Password (or OTP), the module picks the Password (or Otp) from the PAM handle and prompts the user for the missing token (either Otp or Password).
Usage when try_first_pass is set: If try_first_pass is set, then the module attempts to use the previous value if possible; if not it prompts the user for the required authentication tokens. | | | |  | NOTE: This option is used only when try_first_pass or use_first_pass is set. | | | | |
- rad_authtok=<tokentype>
This option informs the module about the nature of the validation that must be performed. Based on the value of the rad_authtok option and the authentication token received from the previous module, HP-UX PAM RADIUS prompts the user for the missing authentication tokens and performs the authentication. Following are the valid values for <tokentype>: - Password
Perform only password validation. This is the default value, if this option is not set, or if an invalid value is set. - Otp
Perform only OTP validation. When this option is set, the module prompts the user for OTP information (if required). Once the module receives the OTP, it sends it as a password to the RADIUS server for validation. Set this option when using RADIUS servers that support OTP based authentication (such as the HP-UX AAA Server A.07.01 and later versions). - PasswordOtp
Perform both Password and OTP validation. During this operation the module appends the OTP value to the password and sends it to the RADIUS server for authentication. Set this option when using RADIUS servers that support OTP based authentication (such as HP-UX AAA Server A.07.01 and later versions).
- set_authtok=<tokentype>
This option allows you to configure the authentication token that must be set as PAM_AUTHTOK item_type in the PAM handle. Following are the valid values for <tokentype>: - Password
Set the password as the authentication token. his is the default value, if this option is not set, or if an invalid value is set. - Otp
Set the OTP as the authentication token. - PasswordOtp
Set the password appended with OTP as the authentication token.
If the authentication token that must be set as PAM_AUTHTOK in the PAM handle is not available, then the module ignores this option.
Session Management Module | |
The HP-UX PAM RADIUS session management module provides the following functions: The pam_sm_open_session() () function, which initiates sessions The pam_sm_close_session() () function, which terminates sessions
A RADIUS Accounting-Start message is sent to the RADIUS server when the session is opened and an Accounting-Stop message is sent to the RADIUS server when the session is terminated. The following options can be set to the session management module through the /etc/pam.conf file: default_realm=<realm name>
For more information on these options, see “Authentication Module”. |
Printable version
