SSH Tectia  
Previous Next Up [Contents] [Index]

    About This Document >>
    Installing SSH Tectia Server >>
    Getting Started >>
    Configuration >>
    Authentication >>
        Server Authentication with Public Keys >>
        Server Authentication with Certificates >>
        User Authentication with Passwords
        User Authentication with Public Keys >>
        User Authentication with Certificates >>
        Host-Based User Authentication >>
        User Authentication with Keyboard-Interactive >>
            Client Configuration
            Server Configuration
            Pluggable Authentication Module (PAM) Submethod
            RSA SecurID Submethod
            RADIUS Submethod
        User Authentication with GSSAPI >>
    Application Tunneling >>
    Troubleshooting >>
    Man Pages
    Advanced Options >>
    Log Messages >>

Pluggable Authentication Module (PAM) Submethod

Pluggable Authentication Module is an authentication framework used in Unix systems. In SSH Tectia, support for PAM is enabled as a submethod of Keyboard-Interactive authentication.

When PAM is used, SSH Tectia Server transfers the control of authentication to the PAM library, which will then load the modules specified in the PAM configuration file. Finally, the PAM library tells SSH Tectia Server whether or not the authentication was successful. SSH Tectia Server is not aware of the details of the actual authentication method employed by PAM. Only the final result is of interest.

To enable PAM support, include the following lines in the /etc/ssh2/sshd2_config file on the server: 

AllowedAuthentications   keyboard-interactive
...
AuthKbdInt.Optional      pam

Include the following line in the /etc/ssh2/ssh2_config file on the client: 

AllowedAuthentications   keyboard-interactive

The PAM configuration settings are located either in /etc/pam.conf or in /etc/pam.d/sshd2. The modules are usually either in the /lib/security directory or in the /usr/lib/security directory. Currently, SSH Tectia Server supports PAM on Linux and on Solaris 2.6 or later.

There must be at least one auth, one account, and one session module in the configuration file. Otherwise the connection will be refused. Also, modules which require PAM_TTY will not work because TTY allocation is done in SSH Tectia Server after the authentication.

See Section Keyboard-Interactive Authentication for more information on Keyboard-Interactive authentication.

Note: SSH Communications Security does not provide technical support on how to configure PAM. Our support only covers SSH Tectia applications.

PAM Examples

The following are examples of different PAM configurations.

PAM on Red Hat Linux

The /etc/pam.d/sshd2 file on Red Hat Linux: 

auth     required /lib/security/pam_pwdb.so shadow nullok
auth     required /lib/security/pam_nologin.so
account  required /lib/security/pam_pwdb.so
password required /lib/security/pam_cracklib.so
password required /lib/security/pam_pwdb.so shadow nullok use_authtok
session  required /lib/security/pam_pwdb.so

On SUSE LINUX, the configuration is otherwise the same but pam_unix.so is used instead of pam_pwdb.so.

PAM on Sun Solaris

The /etc/pam.conf entry on Solaris: 

sshd2  auth      required  /usr/lib/security/pam_unix.so debug 
sshd2  account   required  /usr/lib/security/pam_unix.so debug 
sshd2  password  required  /usr/lib/security/pam_unix.so debug
sshd2  session   required  /usr/lib/security/pam_unix.so debug

PAM Used with LDAP on Red Hat Linux

The following is an example on how to configure PAM to use LDAP authentication on a Red Hat 9 machine. Before trying this setup, verify that PAM works for local accounts.

In the file /etc/pam.d/sshd2, add the following: 

auth     required /lib/security/pam_ldap.so
account  required /lib/security/pam_ldap.so
password required /lib/security/pam_ldap.so
session  required /lib/security/pam_ldap.so

In the file /etc/nsswitch.conf, add the following: 

passwd: files ldap
shadow: files ldap
group: files ldap

In the file /etc/ldap.conf, add the following: 

host ldapserver.company.com
base dc=company,dc=com
ldap_version 3
port 389
scope one
pam_min_uid 10000
pam_max_uid 20000
nss_base_passwd ou=accounts,dc=company,dc=com?one
nss_base_shadow ou=accounts,dc=company,dc=com?one
nss_base_group ou=groups,dc=company,dc=com?one
ssl no
pam_password md5

This is just an example and needs to be modified according to your LDAP server configuration.

PAM Account Management and Session Logging

Normally account management and session logging are done as a part of PAM authentication when it is used (keyboard-interactive with the submethod pam). This feature allows limited account management and session logging by PAM to be used for all authentication methods.

Provided that the feature is enabled (see configuration options below) and that full PAM authentication was not used successfully, the PAM account management functions will be called after successful authentication. Access is denied if pam_acct_mgmt() returns an error. After pam_acct_mgmt() has approved the connection, pam_open_session() will be called, followed by pam_close_session() after the connection has been closed.

Note that if full PAM authentication has been performed, this feature will not be used, as an account management function has been called as a part of normal PAM authentication. This means that if more than one authentcation method is required, PAM account management can be done either after all authentications (separate PAM account management) or before some other authentications (as a part of PAM authentication).

Configuration Options

  • AlwaysUsePAMAccountManagement

    If PAM authentication was not used, still use the PAM function pam_acct_mgmt to check login restrictions as configured in the account group of the system's PAM configuration. Even if this option is disabled, the account management will be called if PAM authentication was used. The argument must be yes or no. The default is no.

  • AlwaysUsePAMSessionLogging

    If PAM authentication was not used, still use PAM functions pam_open_session and pam_close_session to log session data as configured in the session group of the system's PAM configuration. Even if this option is disabled, the account management will be called if PAM authentication was used. The argument must be yes or no. The default is no.

  • ForcedPAMAccountManagementPasswordChange

    If PAM account management is used and it requires an authentication token change (pam_acct_mgmt returns PAM_NEW_AUTHOK_REQD) and the used authentication method also requires a password change, allow this connection as it can only be used to change the password. The user login shell will be replaced with the passwd command and the user is disconnected afterwards. Note that if AlwaysUsePAMSessionLogging is enabled, the pam_open_session will be called on connection before the password has been changed. Disabling this option will cause the server to disconnect the client with an error message stating that password change is needed and that the user should connect again using the keyboard- interactive authentication method. This option does not affect normal PAM authentication which will still prompt for a new password event if this option has been disabled. The argument must be yes or no. The default is no.

Previous Next Up [Contents] [Index]

[ Contact Information | Support | Feedback | SSH Home Page | SSH Products ]

Copyright © 2010 SSH Communications Security Corp.
This software is protected by international copyright laws. All rights reserved.
Copyright Notice