pam_aix module

Edit online

The pam_aix module is a PAM module that provides PAM-enabled applications access to AIX® security services by providing interfaces that call the equivalent AIX services where they exist.

These services are in turn performed by a loadable authentication module or the AIX built-in function based on the user's definition and the corresponding setup in the methods.cfg file. Any error codes generated during execution of an AIX service are mapped to the corresponding PAM error code.

Figure 1. PAM Application to AIX Security Subsystem Path

This illustration shows the path that a PAM application API call will follow if the /etc/pam.conf file is configured to make use of the pam_aix module. As shown in the diagram, the integration allows users to be authenticated by any of the loadable authentication modules (DCE, LDAP, or KRB5) or in AIX files (compat).

The pam_aix module is installed in the /usr/lib/security directory. Integration of the pam_aix module requires that the /etc/pam.conf file be configured to make use of the module. Stacking is still available but is not shown in the following example of the /etc/pam.conf file:

#
# Authentication management
#
OTHER   auth     required       /usr/lib/security/pam_aix

#
# Account management
#
OTHER   account  required       /usr/lib/security/pam_aix 

#
# Session management
#
OTHER   session  required       /usr/lib/security/pam_aix 

#
# Password management
#
OTHER   password required       /usr/lib/security/pam_aix

The pam_aix module has implementations for the pam_sm_authenticate, pam_sm_chauthok and pam_sm_acct_mgmt SPI functions. The pam_sm_setcred, pam_sm_open_session, and pam_sm_close_session SPI are also implemented in the pam_aix module, but these SPI functions return PAM_SUCCESS invocations.

The following is an approximate mapping of PAM SPI calls to the AIX security subsystem:

         PAM SPI                    AIX
        =========                  =====
        pam_sm_authenticate   -->  authenticate
        pam_sm_chauthtok      -->  passwdexpired, chpass
                                   Note: passwdexpired is only checked if the
                                   PAM_CHANGE_EXPIRED_AUTHTOK flag is passed in.
        pam_sm_acct_mgmt      -->  loginrestrictions, passwdexpired
        pam_sm_setcred        -->  No comparable mapping exists, PAM_SUCCESS returned
        pam_sm_open_session   -->  No comparable mapping exists, PAM_SUCCESS returned
        pam_sm_close_session  -->  No comparable mapping exists, PAM_SUCCESS returned

Data intended to be passed to the AIX security subsystem can be set using either the pam_set_item function prior to module use, or the pam_aix module for data if it does not already exist.