Configure the pam.conf File

Administration Guide › Password Management › Synchronizing Passwords on Endpoints › Passwords on UNIX and Linux › Configuring the UNIX Password Synchronization Feature › Configure the pam.conf File

Configure the pam.conf File

The /etc/pam.conf file is the main PAM configuration file. You must edit the file to insert a line in the password service stack. On some Linux systems, the pam.conf file is replaced with /etc/pam.d, so you will need to edit the /etc/pam.d/system-auth file.

To configure the pam.conf file

Navigate to the /etc directory, or /etc/pam.d directory if you are configuring the PAM module on an appropriate Linux system.
Edit the pam.conf file to insert a Password Synchronization line in the password service stack. For platform-specific configurations, see the examples that follow:
passwd password required /usr/lib/security/pam_unix.so

passwd password optional /usr/lib/security/pam_CA_eta.so
(Optional) You can add the following optional parameters on the pam_CA_eta module line:

config=/path/file

Indicates the location of an alternate configuration file.

syslog

Sends error and informational messages to the local syslog service.

trace

Generates a trace file for each password update operation. The trace files are named /tmp/pam_CA_eta-trace.<nnnn> where <nnnn> is the PID number of the password process.

Implement the following platform-specific configuration changes:

For AIX systems, add the following lines at the bottom of the /etc/pam.conf file:

# CA IdentityMinder Unix Password Synchronization

login   password  optional    /usr/lib/security/pam_CA_eta.so syslog
passwd  password  optional    /usr/lib/security/pam_CA_eta.so syslog 
rlogin  password  optional    /usr/lib/security/pam_CA_eta.so syslog 
su      password  optional    /usr/lib/security/pam_CA_eta.so syslog 
telnet  password  optional    /usr/lib/security/pam_CA_eta.so syslog 
sshd    password  optional    /usr/lib/security/pam_CA_eta.so syslog 
OTHER   password  optional    /usr/lib/security/pam_CA_eta.so syslog

For HP-UX systems, add the following lines at the bottom of the /etc/pam.conf file:

# CA IdentityMinder Unix Password Synchronization

login    password optional    /usr/lib/security/libpam_CA_eta.1 syslog
passwd   password optional    /usr/lib/security/libpam_CA_eta.1 syslog
dtlogin  password optional    /usr/lib/security/libpam_CA_eta.1 syslog
dtaction password optional    /usr/lib/security/libpam_CA_eta.1 syslog
OTHER    password optional    /usr/lib/security/libpam_CA_eta.1 syslog

For HP-UX Itanium2, add the following lines at the bottom of the /etc/pam.conf file:

# CA IdentityMinder Unix Password Synchronization

login    password optional    /usr/lib/security/$ISA/libpam_CA_eta.1 syslog
passwd   password optional    /usr/lib/security/$ISA/libpam_CA_eta.1 syslog
dtlogin  password optional    /usr/lib/security/$ISA/libpam_CA_eta.1 syslog
dtaction password optional    /usr/lib/security/$ISA/libpam_CA_eta.1 syslog
OTHER    password optional    /usr/lib/security/$ISA/libpam_CA_eta.1 syslog

For Sun Solaris systems, add the pam_CA_eta line after the existing pam_unix line:

# Password management

other   password required       /usr/lib/security/pam_unix.so.1
other   password optional       /usr/lib/security/pam_CA_eta.so syslog

For Linux systems, add the pam_CA_eta line between the existing pam_cracklib and pam_unix lines:

password    required     /lib/security/pam_cracklib.so retry=3 type=
password    optional     /lib/security/pam_CA_eta.so syslog
password    sufficient   /lib/security/pam_unix.so nullok use_authtok md5 shadow
password    required     /lib/security/pam_deny.so

For AIX systems, edit the /etc/security/login.cfg file to set auth_type = PAM_AUTH. This enables the PAM framework, which is not enabled by default. This is a run-time setting so you do not have to reboot the system for it to take effect.