The Pluggable Authentication Module (PAM) is a standardized architecture to let third parties carry out authentication requests from applications. PAM allows you to perform OS authentication on UNIX.
To perform OS authentication using PAM, the "sagssxauthd2" module tries
to load the client-side PAM library, named libpam.so
, and the
libcrypt.so
security library (libsec.so/.sl
on
HP-UX), using the ssxsrv
service.
If libpam.so
is successfully loaded, the "sagssxauthd2"
module performs a PAM authentication.
If libpam.so
could not be loaded or the PAM authentication
fails, the module tries to perform a UNIX user authentication using the
password database(s) and the libcrypt.so
security library. If
libcrypt.so
could not be loaded, an error is returned. If
libcrypt.so
is successfully loaded, the "sagssxauthd2" module
calls the getspnam()
function which looks in the local shadow
password user database.
If getspnam()
finds the correct user entry, the
"sagssxauthd2" module returns "true".
If getspnam()
does not find the correct user entry, the
"sagssxauthd2" module calls the getpwnam()
function to read the
password. The getpwnam()
function looks in the local password user
database.
If getpwnam()
finds the correct user entry, the
"sagssxauthd2" module returns "true".
If getpwnam()
fails, the user is rejected due to an
invalid password.
Most PAM modules and both getspnam()
and
getpwnam()
require specific privileges from the calling process.
Therefore, "sagssxauthd2" must be owned by the "root" user. Also, the
"sagssxauthd2" module must be on a device not mounted with the "nosuid" option
and the setuid
flag must be enabled (the file
access rights should look like "-rwsr-sr-x …. root … sagssxauthd2").
If any of the conditions above is not met, an error can occur. In this case, it is important to double-check the status of "sagssxauthd2" and create an SSX trace to be sent to support.
Another source of failure is using an unsupported by SSX hash algorithm
for comparing the passwords returned from getspnam()
and
getpwnam()
. The supported hash algorithms are:
DES
MD5
Long Blowfish
Short Blowfish
SHA-256
SHA-512
Note:
On HP-UX, the "sagssxauthd2" module also uses the
crypt2_passwd_match()
and bigcrypt()
functions to
perform the comparison.