Pluggable Authentication Module is an authentication framework used in Unix systems. In Tectia, support for PAM is enabled as a submethod of keyboard-interactive authentication.
When PAM is used, Tectia Server transfers the control of authentication to the PAM library, which will then load the modules specified in the PAM configuration file. Finally, the PAM library tells Tectia Server whether or not the authentication was successful. Tectia Server is not aware of the details of the actual authentication method employed by PAM, only the final result is of interest.
The PAM authentication can be enabled by creating a PAM configuration for the service
ssh-server-g3. For information on how to do PAM session and account
management irrespective of the authentication methods used, see the configuration element
In addition, you can
define separate authentication blocks with specific PAM settings (in element
<submethod-pam>) which will override the PAM defaults for that
particular authentication block.
It is possible to configure the user session
management and the authentication to use different services for PAM authentication. This is
done by defining different services in the
service-name attribute in the
pluggable-authentication-modules element and in the
Tectia Server expects to find the PAM libraries in the default paths of the supported operating systems. You need to define the PAM libraries in the server configuration only if they are used from non-default locations.
The following configuration example shows the PAM authentication
related settings in the
SSH Communications Security does not provide technical support on how to configure PAM. Our support only covers Tectia applications.
The following are examples of the PAM configurations on different platforms.
Please note that these are just examples and need to be modified according to the actual server configuration.
On Red Hat Linux 5, add PAM configuration file
/etc/pam.d/ssh-server-g3 with contents:
auth include system-auth account required pam_nologin.so account include system-auth password include system-auth session optional pam_keyinit.so force revoke session include system-auth session required pam_loginuid.so
When the PAM library is used from the default path, the PAM definitions in the
Tectia Server configuration file
ssh-server-config.xml can be simply as
<authentication-methods> <authentication action="allow"> <auth-keyboard-interactive > <submethod-pam /> </auth-keyboard-interactive > ... </authentication> </authentication-methods>
On SUSE Linux Enterprise Server 10 (both 32- and
64-bit versions) the default configuration settings are suitable for most PAM
authentications. You can add file
auth include common-auth auth required pam_nologin.so account include common-account password include common-password session include common-session
The following example configuration in
PAM session and account management with the service
sshd2 (instead of
ssh-server-g3). The authentication submethod PAM is
configured to use service
ssh-server-g3. The PAM library is used from
the default path.
<params> <pluggable-authentication-modules service-name="sshd2" pam-calls-with-commands="yes" /> </params> <!-- ... --> <authentication-methods> <authentication action="allow" name="allow-default"> <auth-keyboard-interactive> <submethod-pam service-name="ssh-server-g3"/> </auth-keyboard-interactive> </authentication> </authentication-methods>
On AIX, the PAM library is able to recognize whether the calling
application is 32- or 64-bit and then substitute the correct path to load modules if
full path has not been specified in the
/etc/pam.conf file. If the
pam.conf file has the following specified for
ssh-server-g3, it should work with both Tectia Server versions 6.1 and
ssh-server-g3 auth required pam_aix ssh-server-g3 account required pam_aix ssh-server-g3 password required pam_aix ssh-server-g3 session required pam_aix
If PAM authentication is in use and you are updgrading to Tectia Server 6.6, which
is a 64-bit version, note that if the full path is set in the
On Solaris versions 10 and 11, add the
/etc/pam.conf entry with contents:
ssh-server-g3 auth requisite pam_authtok_get.so.1 ssh-server-g3 auth required pam_dhkeys.so.1 ssh-server-g3 auth required pam_unix_cred.so.1 ssh-server-g3 auth required pam_unix_auth.so.1 ssh-server-g3 account requisite pam_roles.so.1 ssh-server-g3 account required pam_unix_account.so.1 ssh-server-g3 session required pam_unix_session.so.1 ssh-server-g3 password required pam_dhkeys.so.1 ssh-server-g3 password requisite pam_authtok_get.so.1 ssh-server-g3 password requisite pam_authtok_check.so.1 ssh-server-g3 password required pam_authtok_store.so.1
If the PAM library is used from a path different than the operating system
default, the path must be specified in the Tectia Server configuration file
ssh-server-config.xml both in the
pluggable-authentication-modules and in the
submethod-pam element with the
dll-path attribute. For
<params> <pluggable-authentication-modules dll-path="
path-to-pam-dll" pam-calls-with-commands="yes" /> </params> <authentication-methods> <authentication action="allow" name="allow-default"> <auth-keyboard-interactive> <submethod-pam dll-path="
path-to-pam-dll" /> </auth-keyboard-interactive> </authentication> </authentication-methods>
On Solaris, the account lockout setting LOCK_AFTER_RETRIES in
The following is an example on how to configure PAM to use LDAP authentication on a Red Hat Linux machine. Before trying this setup, verify that PAM works for local accounts. Modify the example settings according to your LDAP server configuration.
/etc/pam.d/ssh-server-g3, add the
auth required /lib/security/pam_ldap.so account required /lib/security/pam_ldap.so password required /lib/security/pam_ldap.so session required /lib/security/pam_ldap.so
/etc/nsswitch.conf, add the following settings:
passwd: files ldap shadow: files ldap group: files ldap
/etc/ldap.conf, add the following settings:
host ldapserver.company.com base dc=company,dc=com ldap_version 3 port 389 scope one pam_min_uid 10000 pam_max_uid 20000 nss_base_passwd ou=accounts,dc=company,dc=com?one nss_base_shadow ou=accounts,dc=company,dc=com?one nss_base_group ou=groups,dc=company,dc=com?one ssl no pam_password md5