PAM on AIX 5.3

Jacques Lebastard jacques.lebastard at evidian.com
Wed Jun 7 12:32:00 UTC 2006


I know this might not be the right place to talk about PAM on AIX but 
since I can't find any better mailing/newsgroup... If you know of a more 
appropriate place...


I wrote a PAM module in charge of authenticating users to a specific 
authentication server and retrieve a Unix login & pwd from single 
sign-on data. Upon a successful authentication, the module retrieves 
Unix login and pwd and uses pam_set_item to set PAM_USER and PAM_AUTHTOK 
to the Unix values (always different from what the user provided): any 
other PAM module configured with 'use_first_pass' should then use these 
to perform any required authentication.

This PAM module works fine on Solaris (except for ftp, because of a 
documented restriction in ftpd), HP-UX and Linux.

On AIX 5.3, the connection always fails with the following info in syslog:

auth|security:info syslog: pts/3: failed login attempt for UNKNOWN_USER 
from ...

I currently try this PAM module using telnet and the following entries 
in /etc/pam.conf (my PAM module is am_pam.so):

telnet  auth    required        /usr/lib/security/am_pam.so dump debug
telnet  auth    required        /usr/lib/security/pam_aix use_first_pass 
debug
OTHER   auth    required        /usr/lib/security/pam_prohibit debug

telnet  account required        /usr/lib/security/am_pam.so no_warn 
bypass dump
telnet  account required        /usr/lib/security/pam_aix debug
OTHER   account required        /usr/lib/security/pam_prohibit debug

telnet  password  required      /usr/lib/security/pam_aix debug
OTHER   password  required      /usr/lib/security/pam_prohibit debug

telnet  session required        /usr/lib/security/am_pam.so dump debug
telnet  session required        /usr/lib/security/pam_aix debug
OTHER   session required        /usr/lib/security/pam_prohibit debug


The following lines are sent to syslog:

:debug PAM: pam_start(telnet aixuser1)
:debug PAM: pam_set_item(1)
:debug PAM: pam_set_item(2)
:debug PAM: pam_set_item(5)
:debug PAM: pam_set_item(3)
:debug PAM: pam_set_item(4)
:debug PAM: pam_set_item(8)
:debug PAM: pam_authenticate()
:debug PAM: load_modules: /usr/lib/security/am_pam.so
:debug PAM: load_function: successful load of pam_sm_authenticate
:debug PAM: load_modules: /usr/lib/security/pam_aix
:debug PAM: load_function: successful load of pam_sm_authenticate
:debug PAM: AM-PAM : authentication OK.
:debug PAM: pam_set_item(2)
:debug PAM: pam_set_item(6)
:debug PAM: pam_set_item(6)
:debug PAM: pam_acct_mgmt()
:debug PAM: load_modules: /usr/lib/security/am_pam.so
:debug PAM: load_function: successful load of pam_sm_acct_mgmt
:debug PAM: load_modules: /usr/lib/security/pam_aix
:debug PAM: load_function: successful load of pam_sm_acct_mgmt
:debug PAM: pam_aix: acct_mgmt(telnet, pchuser1), flags = 0
:debug PAM: pam_setcred()
:debug PAM: load_modules: /usr/lib/security/am_pam.so
:debug PAM: load_function: successful load of pam_sm_setcred
:debug PAM: load_modules: /usr/lib/security/pam_aix
:debug PAM: load_function: successful load of pam_sm_setcred
:debug PAM: pam_open_session()
:debug PAM: load_modules: /usr/lib/security/am_pam.so
:debug PAM: load_function: successful load of pam_sm_open_session
:debug PAM: load_modules: /usr/lib/security/pam_aix
:debug PAM: load_function: successful load of pam_sm_open_session
:debug PAM: pam_end(): status = Success
:info syslog: pts/3: failed login attempt for UNKNOWN_USER from ...

Would someone have some similar PAM module? Can such PAM modules work on 
AIX 5.3? Did I miss something in the configuration?

Help!...



-------------- next part --------------
A non-text attachment was scrubbed...
Name: jacques.lebastard.vcf
Type: text/x-vcard
Size: 391 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pam-list/attachments/20060607/5272c147/attachment.vcf>


More information about the Pam-list mailing list