Endpoint Administration Guide for UNIX › Protecting Accounts › Preventing Password Attacks › pam_seos

pam_seos

pam_seos is a Pluggable Authentication Module (PAM) that CA ControlMinder uses for advanced account management functions. CA ControlMinder calls pam_seos during the login procedure of any login program. The module is a shared object that can be dynamically loaded to provide the necessary functionality upon demand.

You can configure pam_seos to perform three actions:

• Detect login failures

  The Account Management Component detects any failed login attempt and logs it to both the audit file and a special failed logins file. This module detects UNIX failures, not cases in which CA ControlMinder denies access.

  CA ControlMinder writes the failed login attempts to a special file. The serevu utility reads this file and uses the information to determine if and when user access should be revoked.

• Provides debug mode

  When CA ControlMinder denies a login, it usually does not show the reason for denial during the login session. If the pam_seos module's debug mode is set, CA ControlMinder gives a short description of the reason for login denial. For example, “grace logins” means that the user has no remaining logins.

• Checks for expired passwords and grace logins

  The Password Management Component invokes the segrace utility, which checks for a user's password expiration and the number of grace logins. If a user's password expires, and the user has no grace logins left, segrace invokes the sepass utility to allow the user to change the password.

Note: CA ControlMinder invokes segrace only when a password change is needed.

Note: To obtain failed login events from SSH, the SSH version you are using must be compiled and configured to support PAM. If your version of SSH does not use PAM, CA ControlMinder cannot detect whether a user has violated the failed login rules.

The installation program adds the relevant lines to the pam.conf configuration file, and stores the old configuration file as /etc/pam.conf.bak.

Configuration of the pam_seos modules is performed through the seos.ini file. Set the following tokens, located in the [pam_seos] section, according to the required functionality:

To use the Password Expiration and Grace Logins check, set the following token in the seos.ini file:

call_segrace = Yes

To use Login Debug Mode, set the following token in the seos.ini file:

debug_mode_for_user = Yes

To make serevu use pam_seos login failure detection, set the following token in the seos.ini file:

serevu_use_pam_seos = Yes