Pluggable Authentication Modules

Privilege Management for Unix and Linux can use Pluggable Authentication Modules (PAM) on systems where it is available. Privilege Management for Unix and Linux invokes password authentication services, account management services, and session start/end services.

For macOS, PAM must be configured. Otherwise, the Privilege Management for Unix and Linux user and password policy functions will not work. These functions are listed in "User and Password Functions" in the Privilege Management for Unix and Linux Policy Language Guide.

pam

  • Version 3.5 and earlier: pam setting not available.
  • Version 4.0 and later: pam setting available.

The pam setting enables the use of PAM if set to yes, or disables it if set to no.

pam yes
pam no
  • Policy server hosts
  • Submit hosts
  • Run hosts

libpam

  • Version 5.1.1 and earlier: libpam setting not available.
  • Version 5.2 and later: libpam setting available.

libpam is a user-defined PAM library that Privilege Management for Unix and Linux uses as a first option in case the system does not use the standard default PAM libraries. The notation used for AIX to specify the OS-provided PAM library is the following:

/usr/lib/libpam.a(shr.o)
libpam /lib/libpam.so.1

No default value

  • Policy server hosts
  • Submit hosts
  • Run hosts

pampasswordservice

  • Version 3.5 and earlier: pampasswordservice setting not available.
  • Version 4.0 and later: pampasswordservice setting available.

If you want Privilege Management for Unix and Linux to use PAM password authentication and account management for password authentication, set pampasswordservice to the name of the PAM service that you want to use.

  • On a policy server host, PAM password authentication is used for the getuserpasswd() function.
  • On a submit host, PAM password authentication is used when the submitconfirmuser() function is invoked by the policy server host’s policy.
  • On a run host, PAM password authentication is used when runconfirmuser is invoked by the policy server host’s policy.
Privilege Management for Unix and Linux does not use the environment variables that are set by pam_env.Privilege Management for Unix and Linux can read environment variables from /etc/environment or some other file. For more information, please see the following:
pampasswordservice login

No default value

  • Policy server hosts
  • Submit hosts
  • Run hosts

Many Privilege Management for Unix and Linux programs run as root. If you use a PAM service that allows root to bypass passwords (for example, su or anything containing rootok), then Privilege Management for Unix and Linux may also skip the password check.

pamsessionservice

  • Version 3.5 and earlier: pamsessionservice setting not available.
  • Version 4.0 and later: pamsessionservice setting available.

If you want PAM to perform account management and session start and end services to manage task requests on a run host, then set pamsessionservice to the name of the service that you want to use. pblocald invokes the account management and session start portions when the requested task starts, and invokes session end services when the requested task finishes.

For local mode, the client invokes the account management module when the runuser is different than the submitting user (user). Unless I/O logging is active, session start and end services are skipped.

In version 6.0 and later, Privilege Management for Unix and Linux uses ulimits that are set by pam_limits during PAM session start. If you do not want to honor the ulimits that are set by PAM, use the pam_session_prepb6 setting.

Privilege Management for Unix and Linux does not use the environment variables that are set by pam_env.

Privilege Management for Unix and Linux can read environment variables from /etc/environment or some other file.

For more information, please see the following:

pamsessionservice su

No default value

Some PAM services may update the syslog and the utmp or utmpx files. To avoid duplicate entries, you might need to set recordunixptysessions and syslogsessions to no.

  • Run hosts
  • Submit hosts by pbksh and pbsh

For more information, please see pam_session_prepb6.

pamsuppresspbpasswprompt

  • Version 5.1.1 and earlier: pamsuppresspbpasswprompt setting not available.
  • Version 5.1.2 and later: pamsuppresspbpasswprompt setting available.

If you want to suppress the Privilege Management for Unix and Linux password prompt when PAM authentication is enabled, then set pamsuppresspbpasswprompt to yes. Otherwise, if the Privilege Management for Unix and Linux password prompt is required, then set pamsuppresspbpasswprompt to no.

If the values of the user and runuser variables are different, the Privilege Management for Unix and Linux password prompt is always enabled, even if pamsuppresspbpasswprompt is set to yes.

pamsuppresspbpasswprompt yes
pamsuppresspbpasswprompt yes
  • Policy server hosts
  • Submit hosts
  • Run hosts

pam_session_prepb6

  • Version 5.2 and earlier: pam_session_prepb6 setting not available.
  • Version 6.0 and later: pam_session_prepb6 setting available.

Prior to Privilege Management for Unix and Linux version 6, the PAM session is called by the parent Privilege Management for Unix and Linux process. In version 6, this behavior was corrected so that the PAM session is called from the child process that runs the secured task. By setting pam_session_prepb6 to yes, you can revert Privilege Management for Unix and Linux to the old behavior.

pam_session_prepb6 yes
pam_session_prepb6 no

Run hosts

pamsetcred

  • Version 6.0 and earlier: pamsetcred setting not available.
  • Version 6.1 and later: pamsetcred setting available.

The pamsetcred keyword enables the pam_setcred() function, which is used to establish possible additional credentials of a user.

This keyword does not apply to pbssh. If it is present in the settings file, it does not have any effect on pbssh and is ignored.

For Solaris projects, this sets the Project ID to the default project, or to a specified project. Other scenarios are possible, depending on the OS PAM implementation and configuration.

The use of pam_setcred currently does not delete credentials after a session.

pamsetcred yes
pamsetcred no

Run hosts