Authentication for remsh and rexec Services |
 |
Pluggable Authenticaion Modules (PAM) for authentication is
supported on HP-UX. PAM support enables users who are not listed
in /etc/passwd file to use the rexec and remsh services. It also enbles
you to use authentication methods other than the standard UNIX authentication.
DCE integrated login and Kerberos are authentication mechanisms
you can use in addition to standard UNIX authentication.
The rexecd and remshd services will use the authentication
mechanism specified in "OTHER" directive of the /etc/pam.conf file. To use other authentication methods, you must
edit the /etc/pam.conf file.
The Pluggable Authentication Module Configuration
File
The /etc/pam.conf file is the configuration file for the Pluggable Authentication
Module architecture (PAM). The pam.conf file contains a list of services. Each service
is paired with a corresponding service module. When a service is
requested, its associated module is invoked. Each entry in the /etc/pam.conf file has the following format:
Service_name module_type control_flag module_path options. |
Here are a few examples of entries you may find in a PAM configuration file:
dtlogin auth required /usr/lib/security/libpam_unix.1 debug
dtlogin account required /usr/lib/security/libpam_unix.1
OTHER auth optional /usr/lib/security/libpam_unix.1 |
The service_name refers to the service. In the examples above,
dtlogin and the keyword, OTHER, indicates the module all other applications that
have not been specified should use.
The module_type indicates the service module type. The possible
module types include:
account management (account)
session management (session)
password management (passwd)
The control_flag field determines the behavior of stacking. See
the pam.conf man page for a complete discussion of stacking.
The module_path field specifies the pathname to a shared library
object that implements the service functionality.The options field is used by the PAM framework layer to pass
module specific options to the modules. The module parses and interprets
the options. The modules can use this field to turn on debugging
or to pass any module specific parameters such as a TIMEOUT value.
It can also be used to support unified login.
Enabling Standard UNIX Authentication on rexecd and
remshd Services
To use the rexec and remsh services enabled with PAM, add
the following lines to the /etc/pam.conf file:
rcomds auth required /usr/lib/security/libpam_unix.1
rcomds account required /usr/lib/security/libpam_unix.1 |
The remshd and rexecd services will use the above entries
as configuration information for authenticating users. Adding the
lines above tells rexec and remsh to use the UNIX authentication
mechanism to authenticate the users.
For every service (like rexec and remsh), it is possible to
have more than one entry in the /etc/pam.conf file for each of the module types available. Refer
to the pam.conf manpage for more information.
Enabling DCE Integrated Logging Authentication
To enable DCE integrated logging authentication mechanism,
add the following line to the /etc/pam.conf file:
rcomds auth required /usr/lib/security/libpam_dce.1 |
Using remshd in a Secure Internet Services Environment
The rexec service will not work in the Secure Internet Services
(SIS) environment. However, the remsh service works in the SIS environment. To
use the remsh enabled with PAM in the SIS environment, add the following
line to the /etc/pam.conf file.
rcomds auth required /usr/lib/security/libpam_dce.1 |
Also in the Kerberos environment, remsh has command line options
for combining UNIX method and Kerberos method of authentication.
A combination of both Kerberos and UNIX authentication is available. These
command line options can be set in the /etc/inetd.conf for the "kremshd" service. See the kremshd man page
for details.
