Version 9.8
 —  LoginModules Guide  —

Usage of Pluggable Authentication Module (PAM) on UNIX

The Pluggable Authentication Module (PAM) is a standardized architecture to let third parties carry out authentication requests from applications. PAM allows you to perform OS authentication on UNIX.


PAM Authentication

To perform OS authentication using PAM, the "sagssxauthd2" module tries to load the client-side PAM library, named libpam.so, and the libcrypt.so security library (libsec.so/.sl on HP-UX), using the ssxsrv service.

If libpam.so is successfully loaded, the "sagssxauthd2" module performs a PAM authentication.

If libpam.so could not be loaded or the PAM authentication fails, the module tries to perform a UNIX user authentication using the password database(s) and the libcrypt.so security library. If libcrypt.so could not be loaded, an error is returned. If libcrypt.so is successfully loaded, the "sagssxauthd2" module calls the getspnam() function which looks in the local shadow password user database.

Top of page

Conditions for Using PAM

Most PAM modules and both getspnam() and getpwnam()require specific privileges from the calling process. Therefore, "sagssxauthd2" must be owned by the "root" user. Also, the "sagssxauthd2" module must be on a device not mounted with the "nosuid" option and the setuid flag must be enabled (the file access rights should look like "-rwsr-sr-x …. root … sagssxauthd2").

If any of the conditions above is not met, an error can occur. In this case, it is important to double-check the status of "sagssxauthd2" and create an SSX trace to be sent to support.

Another source of failure is using an unsupported by SSX hash algorithm for comparing the passwords returned from getspnam() and getpwnam(). The supported hash algorithms are:

Note:
On HP-UX, the "sagssxauthd2" module also uses the crypt2_passwd_match() and bigcrypt() functions to perform the comparison.

Top of page