The PAM configuration differs slightly between different versions of HP-UX. These configurations are described below.
Edit the /etc/pam.conf file to reflect the following example:
# # PAM configuration # # This pam.conf file is intended as an example only. # see pam.conf(4) for more details # # ################################################################ # This sample file will authenticate the user who belongs to # # either Kerberos or Unix system. Using this configuration file# # if the user is authenticated through Kerberos then the Unix # # authentication will not be invoked. However,if the Kerberos # # authentication fails for the user, then the fallback # # authentication mechanism PAM-Unix will be invoked to # # authenticate the user.The assumption is the user is either # # present in Kerberos or in Unix system. # # # # In case, the administrator wants the password for all the # # users to be synchronous between Kerberos and Unix systems, # # then the control flag should to be set to "required" for all # # the entries with use_first_pass option set for pam_unix. # # If password synchronization is optional then try_first_pass # # option need to be set for pam_unix, so that the user can # # login using the appropriate passwords. # # # # The module pam_hpsec(5) is stacked as mandatory module above # # all the modules for making security checks before # # authentication. # ################################################################ # # # Authentication management # login auth required libpam_hpsec.so.1 login auth sufficient libpam_krb5.so.1 login auth required libpam_unix.so.1 try_first_pass su auth required libpam_hpsec.so.1 su auth sufficient libpam_krb5.so.1 su auth required libpam_unix.so.1 try_first_pass dtlogin auth required libpam_hpsec.so.1 dtlogin auth sufficient libpam_krb5.so.1 dtlogin auth required libpam_unix.so.1 try_first_pass dtaction auth required libpam_hpsec.so.1 dtaction auth sufficient libpam_krb5.so.1 dtaction auth required libpam_unix.so.1 try_first_pass ftp auth required libpam_hpsec.so.1 ftp auth sufficient libpam_krb5.so.1 ftp auth required libpam_unix.so.1 try_first_pass sshd auth required libpam_hpsec.so.1 sshd auth sufficient libpam_krb5.so.1 sshd auth required libpam_unix.so.1 try_first_pass OTHER auth required libpam_unix.so.1 # # Account management # login account required libpam_hpsec.so.1 login account sufficient libpam_krb5.so.1 login account required libpam_unix.so.1 su account required libpam_hpsec.so.1 su account sufficient libpam_krb5.so.1 su account required libpam_unix.so.1 dtlogin account required libpam_hpsec.so.1 dtlogin account sufficient libpam_krb5.so.1 dtlogin account required libpam_unix.so.1 dtaction account required libpam_hpsec.so.1 dtaction account sufficient libpam_krb5.so.1 dtaction account required libpam_unix.so.1 ftp account required libpam_hpsec.so.1 ftp account sufficient libpam_krb5.so.1 ftp account required libpam_unix.so.1 sshd account required libpam_hpsec.so.1 sshd account sufficient libpam_krb5.so.1 sshd account required libpam_unix.so.1 OTHER account required libpam_unix.so.1 # # Session management # login session required libpam_hpsec.so.1 login session sufficient libpam_krb5.so.1 login session required libpam_unix.so.1 dtlogin session required libpam_hpsec.so.1 dtlogin session sufficient libpam_krb5.so.1 dtlogin session required libpam_unix.so.1 dtaction session required libpam_hpsec.so.1 dtaction session sufficient libpam_krb5.so.1 dtaction session required libpam_unix.so.1 sshd session required libpam_hpsec.so.1 sshd session sufficient libpam_krb5.so.1 sshd session required libpam_unix.so.1 OTHER session required libpam_unix.so.1 # # Password management # login password required libpam_hpsec.so.1 login password sufficient libpam_krb5.so.1 login password required libpam_unix.so.1 passwd password required libpam_hpsec.so.1 passwd password sufficient libpam_krb5.so.1 passwd password required libpam_unix.so.1 dtlogin password required libpam_hpsec.so.1 dtlogin password sufficient libpam_krb5.so.1 dtlogin password required libpam_unix.so.1 dtaction password required libpam_hpsec.so.1 dtaction password sufficient libpam_krb5.so.1 dtaction password required libpam_unix.so.1 OTHER password required libpam_unix.so.1
Edit the /etc/pam.conf file to reflect the following example:
# # PAM configuration # # This pam.conf file is intended as an example only. # see pam.conf(4) for more details # ################################################################ # This sample file will authenticate the user who belongs to # # either Kerberos or Unix system. Using this configuration file# # if the user is authenticated through Kerberos then the Unix # # authentication will not be invoked. However,if the Kerberos # # authentication fails for the user, then the fallback # # authentication mechanism PAM-Unix will be invoked to # # authenticate the user.The assumption is the user is either # # present in Kerberos or in Unix system. # # # # In case, the administrator wants the password for all the # # users to be synchronous between Kerberos and Unix systems, # # then the control flag should to be set to "required" for all # # the entries with user_first_pass option set for pam_unix. # # If password synchronization is optional then try_first_pass # # option need to be set for pam_unix, so that the user can # # login using the appropriate passwords. # ################################################################ # # Authentication management # login auth sufficient /usr/lib/security/libpam_krb5.1 login auth required /usr/lib/security/libpam_unix.1 try_first_pass su auth sufficient /usr/lib/security/libpam_krb5.1 su auth required /usr/lib/security/libpam_unix.1 try_first_pass dtlogin auth sufficient /usr/lib/security/libpam_krb5.1 dtlogin auth required /usr/lib/security/libpam_unix.1 try_first_pass dtaction auth sufficient /usr/lib/security/libpam_krb5.1 dtaction auth required /usr/lib/security/libpam_unix.1 try_first_pass ftp auth sufficient /usr/lib/security/libpam_krb5.1 ftp auth required /usr/lib/security/libpam_unix.1 try_first_pass OTHER auth required /usr/lib/security/libpam_unix.1 # # Account management # login account sufficient /usr/lib/security/libpam_krb5.1 login account required /usr/lib/security/libpam_unix.1 su account sufficient /usr/lib/security/libpam_krb5.1 su account required /usr/lib/security/libpam_unix.1 dtlogin account sufficient /usr/lib/security/libpam_krb5.1 dtlogin account required /usr/lib/security/libpam_unix.1 dtaction account sufficient /usr/lib/security/libpam_krb5.1 dtaction account required /usr/lib/security/libpam_unix.1 ftp account sufficient /usr/lib/security/libpam_krb5.1 ftp account required /usr/lib/security/libpam_unix.1 OTHER account required /usr/lib/security/libpam_unix.1 # # Session management # login session sufficient /usr/lib/security/libpam_krb5.1 login session required /usr/lib/security/libpam_unix.1 dtlogin session sufficient /usr/lib/security/libpam_krb5.1 dtlogin session required /usr/lib/security/libpam_unix.1 dtaction session sufficient /usr/lib/security/libpam_krb5.1 dtaction session required /usr/lib/security/libpam_unix.1 OTHER session required /usr/lib/security/libpam_unix.1 # # Password management # login password sufficient /usr/lib/security/libpam_krb5.1 login password required /usr/lib/security/libpam_unix.1 passwd password sufficient /usr/lib/security/libpam_krb5.1 passwd password required /usr/lib/security/libpam_unix.1 dtlogin password sufficient /usr/lib/security/libpam_krb5.1 dtlogin password required /usr/lib/security/libpam_unix.1 dtaction password sufficient /usr/lib/security/libpam_krb5.1 dtaction password required /usr/lib/security/libpam_unix.1 OTHER password required /usr/lib/security/libpam_unix.1