Previous Topic: AIX Native Package InstallationNext Topic: Customize the bff Native Package Files


Pluggable Authentication Module (PAM) on AIX

By default, AIX uses the Loadable Authentication Module (LAM) for identification and authentication purposes. To enable UNAB to authenticate users accessing the system, you must configure AIX to use PAM. Configure the AIX system to use PAM before you customize and install UNAB.

Note: You can enable PAM on AIX versions 5.3 and above.

Example: Configuring AIX to use PAM

The following example shows you how to configure AIX version 5.3 and above to use PAM, used by UNAB for authentication purposes.

  1. Create a PAM configuration file.

    AIX does not provide a default /etc/pam.conf file.

  2. Open the pam.conf file and include the basic module stack, then save the file. For example:
    #
    # Authentication
    #
    ftp     auth    required        /usr/lib/security/pam_aix
    imap    auth    required        /usr/lib/security/pam_aix
    login   auth    required        /usr/lib/security/pam_aix
    rexec   auth    required        /usr/lib/security/pam_aix
    rlogin  auth    required        /usr/lib/security/pam_aix
    snapp   auth    required        /usr/lib/security/pam_aix
    su      auth    required        /usr/lib/security/pam_aix
    telnet  auth    required        /usr/lib/security/pam_aix
    OTHER   auth    required        /usr/lib/security/pam_aix
    #
    # Account Management
    #
    ftp     account required        /usr/lib/security/pam_aix
    login   account required        /usr/lib/security/pam_aix
    rexec   account required        /usr/lib/security/pam_aix
    rlogin  account required        /usr/lib/security/pam_aix
    rsh     account required        /usr/lib/security/pam_aix
    su      account required        /usr/lib/security/pam_aix
    telnet  account required        /usr/lib/security/pam_aix
    OTHER   account required        /usr/lib/security/pam_aix
    #
    # Password Management
    #
    login   password  required      /usr/lib/security/pam_aix
    rlogin  password  required      /usr/lib/security/pam_aix
    su      password  required      /usr/lib/security/pam_aix
    telnet  password  required      /usr/lib/security/pam_aix
    OTHER   password  required      /usr/lib/security/pam_aix
    #
    # Session Management
    #
    ftp     session required        /usr/lib/security/pam_aix
    imap    session required        /usr/lib/security/pam_aix
    login   session required        /usr/lib/security/pam_aix
    rexec   session required        /usr/lib/security/pam_aix
    rlogin  session required        /usr/lib/security/pam_aix
    rsh     session required        /usr/lib/security/pam_aix
    snapp   session required        /usr/lib/security/pam_aix
    su      session required        /usr/lib/security/pam_aix
    telnet  session required        /usr/lib/security/pam_aix
    OTHER   session required        /usr/lib/security/pam_aix
    
  3. Navigate to /lib/security and open the methods.cfg file for editing.
  4. Enable PAM authentication by adding the following lines, then save the file:
    PAM:
            program = /usr/lib/security/PAM
    PAMfiles:
            options = auth=PAM,db=BUILTIN
    
  5. Navigate to /etc/security and open the login.cfg file for editing.
  6. Configure the authentication type to PAM, then save the file: auth_type = PAM_AUTH

    For example:

    chsec -f /etc/security/login.cfg -s usw -a auth_type=PAM_AUTH
    
  7. Navigate to /etc/ssh/ and open the sshd_config file for editing.
  8. Enable SSH PAM authentication by adding the following parameters, then save the file:
    UsePAM yes
    

    Note: Verify that you use a PAM supported version of OpenSSH (version 3.9p1 and above). To verify the version use the following command:

    lslpp -i openssh.base.server
    
  9. Navigate to /etc and open the pam.conf file for editing.
  10. Add SSH PAM authentication by adding the following lines, then save the file:
    sshd    auth            required        /usr/lib/security/pam_aix
    OTHER   auth            required        /usr/lib/security/pam_aix
    sshd    account         required        /usr/lib/security/pam_aix
    OTHER   account         required        /usr/lib/security/pam_aix
    sshd    password        required        /usr/lib/security/pam_aix
    OTHER   password        required        /usr/lib/security/pam_aix
    sshd    session         required        /usr/lib/security/pam_aix
    OTHER   session         required        /usr/lib/security/pam_aix
    
  11. Restart the computer.

    AIX is configured to use PAM for authentication purposes. You can now customize the AIX native package and install UNAB.