Implementation Guide › Installing and Customizing a UNAB Host › AIX Native Package Installation › Pluggable Authentication Module (PAM) on AIX

Pluggable Authentication Module (PAM) on AIX

By default, AIX uses the Loadable Authentication Module (LAM) for identification and authentication purposes. To enable UNAB to authenticate users accessing the system, you must configure AIX to use PAM. Configure the AIX system to use PAM before you customize and install UNAB.

Note: You can enable PAM on AIX versions 5.3 and above.

Example: Configuring AIX to use PAM

The following example shows you how to configure AIX version 5.3 and above to use PAM, used by UNAB for authentication purposes.

1. Create a PAM configuration file.

   AIX does not provide a default /etc/pam.conf file.

2. Open the pam.conf file and include the basic module stack, then save the file. For example:

   #
   # Authentication
   #
   ftp     auth    required        /usr/lib/security/pam_aix
   imap    auth    required        /usr/lib/security/pam_aix
   login   auth    required        /usr/lib/security/pam_aix
   rexec   auth    required        /usr/lib/security/pam_aix
   rlogin  auth    required        /usr/lib/security/pam_aix
   snapp   auth    required        /usr/lib/security/pam_aix
   su      auth    required        /usr/lib/security/pam_aix
   telnet  auth    required        /usr/lib/security/pam_aix
   OTHER   auth    required        /usr/lib/security/pam_aix
   #
   # Account Management
   #
   ftp     account required        /usr/lib/security/pam_aix
   login   account required        /usr/lib/security/pam_aix
   rexec   account required        /usr/lib/security/pam_aix
   rlogin  account required        /usr/lib/security/pam_aix
   rsh     account required        /usr/lib/security/pam_aix
   su      account required        /usr/lib/security/pam_aix
   telnet  account required        /usr/lib/security/pam_aix
   OTHER   account required        /usr/lib/security/pam_aix
   #
   # Password Management
   #
   login   password  required      /usr/lib/security/pam_aix
   rlogin  password  required      /usr/lib/security/pam_aix
   su      password  required      /usr/lib/security/pam_aix
   telnet  password  required      /usr/lib/security/pam_aix
   OTHER   password  required      /usr/lib/security/pam_aix
   #
   # Session Management
   #
   ftp     session required        /usr/lib/security/pam_aix
   imap    session required        /usr/lib/security/pam_aix
   login   session required        /usr/lib/security/pam_aix
   rexec   session required        /usr/lib/security/pam_aix
   rlogin  session required        /usr/lib/security/pam_aix
   rsh     session required        /usr/lib/security/pam_aix
   snapp   session required        /usr/lib/security/pam_aix
   su      session required        /usr/lib/security/pam_aix
   telnet  session required        /usr/lib/security/pam_aix
   OTHER   session required        /usr/lib/security/pam_aix
   

3. Navigate to /lib/security and open the methods.cfg file for editing.
4. Enable PAM authentication by adding the following lines, then save the file:

   PAM:
           program = /usr/lib/security/PAM
   PAMfiles:
           options = auth=PAM,db=BUILTIN
   

5. Navigate to /etc/security and open the login.cfg file for editing.
6. Configure the authentication type to PAM, then save the file: auth_type = PAM_AUTH

   For example:

   chsec -f /etc/security/login.cfg -s usw -a auth_type=PAM_AUTH
   

7. Navigate to /etc/ssh/ and open the sshd_config file for editing.
8. Enable SSH PAM authentication by adding the following parameters, then save the file:

   UsePAM yes
   

   Note: Verify that you use a PAM supported version of OpenSSH (version 3.9p1 and above). To verify the version use the following command:

   lslpp -i openssh.base.server
   

9. Navigate to /etc and open the pam.conf file for editing.
10. Add SSH PAM authentication by adding the following lines, then save the file:

    sshd    auth            required        /usr/lib/security/pam_aix
    OTHER   auth            required        /usr/lib/security/pam_aix
    sshd    account         required        /usr/lib/security/pam_aix
    OTHER   account         required        /usr/lib/security/pam_aix
    sshd    password        required        /usr/lib/security/pam_aix
    OTHER   password        required        /usr/lib/security/pam_aix
    sshd    session         required        /usr/lib/security/pam_aix
    OTHER   session         required        /usr/lib/security/pam_aix
    

11. Restart the computer.

    AIX is configured to use PAM for authentication purposes. You can now customize the AIX native package and install UNAB.