Pluggable Authentication Module (PAM) Submethod
Pluggable Authentication Module is an authentication framework used in
Unix systems. In SSH Tectia, support for PAM is enabled as a submethod of
Keyboard-Interactive authentication.
When PAM is used, SSH Tectia Server (M) transfers the control of authentication to the
PAM library, which will then load the modules specified in the PAM configuration
file. Finally, the PAM library tells SSH Tectia Server (M) whether or not the
authentication was successful. SSH Tectia Server (M) is not aware of the details of the
actual authentication method employed by PAM. Only the final result is of
interest.
To enable PAM support,
include the following lines in the /etc/ssh2/sshd2_config file on the server:
AllowedAuthentications keyboard-interactive
...
AuthKbdInt.Optional pam
|
Include the following line in the /etc/ssh2/ssh2_config file on the client:
AllowedAuthentications keyboard-interactive
|
The PAM configuration settings are located either in
/etc/pam.conf or in /etc/pam.d/sshd2. The modules
are usually either in the /lib/security directory or in the
/usr/lib/security directory. Currently, SSH Tectia Server (M) supports PAM on
Linux and on Solaris 2.6 or later.
There must be at least one auth, one account, and one
session module in the configuration file. Otherwise the
connection will be refused. Also, modules which require PAM_TTY
will not work because TTY allocation is done in SSH Tectia Server (M) after the
authentication.
See Section Keyboard-Interactive Authentication for more information on Keyboard-Interactive
authentication.
Note: SSH Communications Security does not provide technical
support on how to configure PAM. Our support only covers SSH Tectia
applications.
PAM Examples
The following are examples of different PAM configurations.
PAM on Red Hat Linux
The /etc/pam.d/sshd2 file on Red Hat Linux:
auth required /lib/security/pam_pwdb.so shadow nullok
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_pwdb.so
password required /lib/security/pam_cracklib.so
password required /lib/security/pam_pwdb.so shadow nullok use_authtok
session required /lib/security/pam_pwdb.so
|
On SUSE LINUX, the configuration is otherwise the same but
pam_unix.so is used instead of pam_pwdb.so.
PAM on Sun Solaris
The /etc/pam.conf entry on Solaris:
sshd2 auth required /usr/lib/security/pam_unix.so debug
sshd2 account required /usr/lib/security/pam_unix.so debug
sshd2 password required /usr/lib/security/pam_unix.so debug
sshd2 session required /usr/lib/security/pam_unix.so debug
|
PAM Used with LDAP on Red Hat Linux
The following is an example on how to configure PAM to use LDAP
authentication on a Red Hat 9 machine. Before trying this setup, verify
that PAM works for local accounts.
In the file /etc/pam.d/sshd2, add the following:
auth required /lib/security/pam_ldap.so
account required /lib/security/pam_ldap.so
password required /lib/security/pam_ldap.so
session required /lib/security/pam_ldap.so
|
In the file /etc/nsswitch.conf, add the following:
passwd: files ldap
shadow: files ldap
group: files ldap
|
In the file /etc/ldap.conf, add the following:
host ldapserver.company.com
base dc=company,dc=com
ldap_version 3
port 389
scope one
pam_min_uid 10000
pam_max_uid 20000
nss_base_passwd ou=accounts,dc=company,dc=com?one
nss_base_shadow ou=accounts,dc=company,dc=com?one
nss_base_group ou=groups,dc=company,dc=com?one
ssl no
pam_password md5
|
This is just an example and needs to be modified according to your LDAP
server configuration.
