Pluggable Authentication Modules

Endpoint Privilege Management for Unix and Linux can use Pluggable Authentication Modules (PAM) on systems where it is available. Endpoint Privilege Management for Unix and Linux invokes password authentication services, account management services, and session start/end services.

pam

• Version 3.5 and earlier:pam setting not available.
• Version 4.0 and later:pam setting available.

The pam setting enables the use of PAM if set to yes, or disables it if set to no.

pam yes

Default

pam no

Used on

• Policy server hosts
• Submit hosts
• Run hosts

libpam

• Version 5.1.1 and earlier:libpam setting not available.
• Version 5.2 and later: libpam setting available.

libpam is a user-defined PAM library that Endpoint Privilege Management for Unix and Linux uses as a first option in case the system does not use the standard default PAM libraries. The notation used for AIX to specify the OS-provided PAM library is the following:

/usr/lib/libpam.a(shr.o)

libpam /lib/libpam.so.1

Default

No default value

Used on

• Policy server hosts
• Submit hosts
• Run hosts

pampasswordservice

• Version 3.5 and earlier:pampasswordservice setting not available.
• Version 4.0 and later:pampasswordservice setting available.

If you want Endpoint Privilege Management for Unix and Linux to use PAM password authentication and account management for password authentication, set pampasswordservice to the name of the PAM service that you want to use.

• On a policy server host, PAM password authentication is used for the getuserpasswd() function.
• On a submit host, PAM password authentication is used when the submitconfirmuser() function is invoked by the policy server host’s policy.
• On a run host, PAM password authentication is used when runconfirmuser is invoked by the policy server host’s policy.

pampasswordservice login

Default

No default value

Used on

• Policy server hosts
• Submit hosts
• Run hosts

Many Endpoint Privilege Management for Unix and Linux programs run as root. If you use a PAM service that allows root to bypass passwords (for example, su or anything containing rootok), then Endpoint Privilege Management for Unix and Linux may also skip the password check.

pamsessionservice

• Version 3.5 and earlier:pamsessionservice setting not available.
• Version 4.0 and later: pamsessionservice setting available.

If you want PAM to perform account management and session start and end services to manage task requests on a run host, then set pamsessionservice to the name of the service that you want to use. pblocald invokes the account management and session start portions when the requested task starts, and invokes session end services when the requested task finishes.

For local mode, the client invokes the account management module when the runuser is different than the submitting user (user). Unless I/O logging is active, session start and end services are skipped.

In version 6.0 and later, Endpoint Privilege Management for Unix and Linux uses ulimits that are set by pam_limits during PAM session start. If you do not want to honor the ulimits that are set by PAM, use the pam_session_prepb6 setting.

Endpoint Privilege Management for Unix and Linux does not use the environment variables that are set by pam_env.

pamsessionservice su

Default

No default value

Some PAM services may update the syslog and the utmp or utmpx files. To avoid duplicate entries, you might need to set recordunixptysessions and syslogsessions to no.

Used on

• Run hosts
• Submit hosts by pbksh and pbsh

pamsuppresspbpasswprompt

• Version 5.1.1 and earlier:pamsuppresspbpasswprompt setting not available.
• Version 5.1.2 and later: pamsuppresspbpasswprompt setting available.

If you want to suppress the Endpoint Privilege Management for Unix and Linux password prompt when PAM authentication is enabled, then set pamsuppresspbpasswprompt to yes. Otherwise, if the Endpoint Privilege Management for Unix and Linux password prompt is required, then set pamsuppresspbpasswprompt to no.

If the values of the user and runuser variables are different, the Endpoint Privilege Management for Unix and Linux password prompt is always enabled, even if pamsuppresspbpasswprompt is set to yes.

pamsuppresspbpasswprompt yes

Default

pamsuppresspbpasswprompt yes

Used on

• Policy server hosts
• Submit hosts
• Run hosts

pam_session_prepb6

• Version 5.2 and earlier:pam_session_prepb6 setting not available.
• Version 6.0 and later: pam_session_prepb6 setting available.

Prior to Endpoint Privilege Management for Unix and Linux version 6, the PAM session is called by the parent Endpoint Privilege Management for Unix and Linux process. In version 6, this behavior was corrected so that the PAM session is called from the child process that runs the secured task. By setting pam_session_prepb6 to yes, you can revert Endpoint Privilege Management for Unix and Linux to the old behavior.

pam_session_prepb6 yes

Default

pam_session_prepb6 no

Used on

Run hosts

pamsetcred

• Version 6.0 and earlier:pamsetcred setting not available.
• Version 6.1 and later:pamsetcred setting available.

The pamsetcred keyword enables the pam_setcred() function, which is used to establish possible additional credentials of a user.

This keyword does not apply to pbssh. If it is present in the settings file, it does not have any effect on pbssh and is ignored.

For Solaris projects, this sets the Project ID to the default project, or to a specified project. Other scenarios are possible, depending on the OS PAM implementation and configuration.

The use of pam_setcred currently does not delete credentials after a session.

pamsetcred yes

Default

pamsetcred no

Used on

Run hosts