Version 9.5 SP1	SEARCH   CONTENTS   |   PDF BOOKS   |   HOME   UP   PREV   NEXT

The Pluggable Authentication Module (PAM) is a standardized architecture to let third parties carry out authentication requests from applications. PAM allows you to perform OS authentication on UNIX.

• PAM Authentication

• Conditions for Using PAM

PAM Authentication

To perform OS authentication using PAM, the "sagssxauthd2" module tries to load the client-side PAM library, named libpam.so, and the libcrypt.so security library (libsec.so/.sl on HP-UX), using the ssxsrv service.

If libpam.so is successfully loaded, the "sagssxauthd2" module performs a PAM authentication.

If libpam.so could not be loaded or the PAM authentication fails, the module tries to perform a UNIX user authentication using the password database(s) and the libcrypt.so security library. If libcrypt.so could not be loaded, an error is returned. If libcrypt.so is successfully loaded, the "sagssxauthd2" module calls the getspnam() function which looks in the local shadow password user database.

• If getspnam() finds the correct user entry, the "sagssxauthd2" module returns "true".

• If getspnam() does not find the correct user entry, the "sagssxauthd2" module calls the getpwnam() function to read the password. The getpwnam() function looks in the local password user database.

  • If getpwnam() finds the correct user entry, the "sagssxauthd2" module returns "true".

  • If getpwnam() fails, the user is rejected due to an invalid password.

Conditions for Using PAM

Most PAM modules and both getspnam() and getpwnam()require specific privileges from the calling process. Therefore, "sagssxauthd2" must be owned by the "root" user. Also, the "sagssxauthd2" module must be on a device not mounted with the "nosuid" option and the setuid flag must be enabled (the file access rights should look like "-rwsr-sr-x …. root … sagssxauthd2").

If any of the conditions above is not met, an error can occur. In this case, it is important to double-check the status of "sagssxauthd2" and create an SSX trace to be sent to support.

Another source of failure is using an unsupported by SSX hash algorithm for comparing the passwords returned from getspnam() and getpwnam(). The supported hash algorithms are:

• DES

• MD5

• Long Blowfish

• Short Blowfish

• SHA-256

• SHA-512

Note:
On HP-UX, the "sagssxauthd2" module also uses the crypt2_passwd_match() and bigcrypt() functions to perform the comparison.

www.softwareag.com

Copyright © 2008-2013 Software AG, Darmstadt, Germany.

SEARCH   CONTENTS   |   PDF BOOKS   |   HOME   UP   PREV   NEXT