SSH Tectia

Pluggable Authentication Module (PAM) Submethod

Pluggable Authentication Module is an authentication framework used in Unix systems. In SSH Tectia, support for PAM is enabled as a submethod of keyboard-interactive authentication.

When PAM is used, SSH Tectia Server transfers the control of authentication to the PAM library, which will then load the modules specified in the PAM configuration file. Finally, the PAM library tells SSH Tectia Server whether or not the authentication was successful. SSH Tectia Server is not aware of the details of the actual authentication method employed by PAM. Only the final result is of interest.

The following example shows settings for keyboard-interactive authentication using the PAM submethod in the ssh-server-config.xml file:

<authentication-methods>
  <authentication action="allow">
    <auth-keyboard-interactive max-tries="3" failure-delay="2">
      <submethod-pam dll-path="path-to-pam-dll" />
    </auth-keyboard-interactive>
  ...
  </authentication>
</authentication-methods>

On Windows, using the SSH Tectia Server Configuration tool, keyboard-interactive authentication can be configured on the Authentication page. See Authentication.

[Note]Note

SSH Communications Security does not provide technical support on how to configure PAM. Our support only covers SSH Tectia applications.

PAM Examples

The following are examples of different PAM configurations.

PAM on Red Hat Linux

The /etc/pam.d/ssh-server-g3 file on Red Hat Linux:

auth     required /lib/security/pam_pwdb.so shadow nullok
auth     required /lib/security/pam_nologin.so
account  required /lib/security/pam_pwdb.so
password required /lib/security/pam_cracklib.so
password required /lib/security/pam_pwdb.so shadow nullok use_authtok
session  required /lib/security/pam_pwdb.so

On SUSE LINUX, the configuration is otherwise the same but pam_unix.so is used instead of pam_pwdb.so.

PAM on Sun Solaris

On Solaris versions 8 and 9 (and earlier), the /etc/pam.conf entry is as follows:

ssh-server-g3  auth      required  /usr/lib/security/pam_unix.so debug 
ssh-server-g3  account   required  /usr/lib/security/pam_unix.so debug 
ssh-server-g3  password  required  /usr/lib/security/pam_unix.so debug
ssh-server-g3  session   required  /usr/lib/security/pam_unix.so debug

On Solaris 10, the pam_unix.so module is no longer supported, but similar functionality is provided by other modules. If needed, a specific PAM library path can be specified in the SSH Tectia Server configuration file ssh-server-config.xml in the submethod-pam element with the dll-path attribute.

PAM Used with LDAP on Red Hat Linux

The following is an example on how to configure PAM to use LDAP authentication on a Red Hat machine. Before trying this setup, verify that PAM works for local accounts.

In the file /etc/pam.d/ssh-server-g3, add the following:

auth     required /lib/security/pam_ldap.so
account  required /lib/security/pam_ldap.so
password required /lib/security/pam_ldap.so
session  required /lib/security/pam_ldap.so

In the file /etc/nsswitch.conf, add the following:

passwd: files ldap
shadow: files ldap
group: files ldap

In the file /etc/ldap.conf, add the following:

host ldapserver.company.com
base dc=company,dc=com
ldap_version 3
port 389
scope one
pam_min_uid 10000
pam_max_uid 20000
nss_base_passwd ou=accounts,dc=company,dc=com?one
nss_base_shadow ou=accounts,dc=company,dc=com?one
nss_base_group ou=groups,dc=company,dc=com?one
ssl no
pam_password md5

This is just an example and needs to be modified according to your LDAP server configuration.