pam_aix module
The pam_aix module is a PAM module that provides PAM-enabled applications access to AIX® security services by providing interfaces that call the equivalent AIX services where they exist.
These services are in turn performed by a loadable authentication module or the AIX built-in function based on the user's definition and the corresponding setup in the methods.cfg file. Any error codes generated during execution of an AIX service are mapped to the corresponding PAM error code.
This illustration shows the path that a PAM application API call will follow if the /etc/pam.conf file is configured to make use of the pam_aix module. As shown in the diagram, the integration allows users to be authenticated by any of the loadable authentication modules (DCE, LDAP, or KRB5) or in AIX files (compat).
#
# Authentication management
#
OTHER auth required /usr/lib/security/pam_aix
#
# Account management
#
OTHER account required /usr/lib/security/pam_aix
#
# Session management
#
OTHER session required /usr/lib/security/pam_aix
#
# Password management
#
OTHER password required /usr/lib/security/pam_aix
The pam_aix module has implementations for the pam_sm_authenticate, pam_sm_chauthok and pam_sm_acct_mgmt SPI functions. The pam_sm_setcred, pam_sm_open_session, and pam_sm_close_session SPI are also implemented in the pam_aix module, but these SPI functions return PAM_SUCCESS invocations.
PAM SPI AIX
========= =====
pam_sm_authenticate --> authenticate
pam_sm_chauthtok --> passwdexpired, chpass
Note: passwdexpired is only checked if the
PAM_CHANGE_EXPIRED_AUTHTOK flag is passed in.
pam_sm_acct_mgmt --> loginrestrictions, passwdexpired
pam_sm_setcred --> No comparable mapping exists, PAM_SUCCESS returned
pam_sm_open_session --> No comparable mapping exists, PAM_SUCCESS returned
pam_sm_close_session --> No comparable mapping exists, PAM_SUCCESS returned
Data intended to be passed to the AIX security subsystem can be set using either the pam_set_item function prior to module use, or the pam_aix module for data if it does not already exist.