PAM configuration (HP-UX pam)

[Alan Millar]

> > To stem the tide of support requests from people who don't read the
> > INSTALL file when installing OpenSSH and then complain
> about password
> > auth failing. I am considering the idea of automagically
> installing a
> > PAM file into /etc/pam.d if it exists, PAM support is
> enabled and no
> > such file already exists.

> > - I want a "no-frills" control file which will work with the widest
> > range of systems and still be secure. Would something like
> the following
> > work everywhere? I assume pam_unix is pretty standards, but
> how about
> > pam_cracklib, pam_nologin and pam_limits?
>
> The big question, of course, is whether these modules are
> available with the
> Solaris and HPUX PAM implementations.  I haven't worked with
> either, so I
> don't have any idea.

FWIW, HP-UX 11.0 uses pam, included as part of the OS from HP.  I don't
know how far it varies from the current Linux or Solaris pam
implementations.  Not being very versed in pam myself, it appears to me
that it matches Solaris pam a little closer than Linux, definitely
compared to current Linux work.    In compiling mod_auth_pam for Apache
on HP-UX 11.0, a few ifdef's were needed that matched the Solaris ones.

HP-UX 11 uses /etc/pam.conf.   The pam_cracklib, pam_nologin and
pam_limits modules are not included with the HP distribution.  I have
not looked into whether people are adding them after-the-fact or not.

I have heard that some people [are attempting to?] use Linux pam ported
to HP-UX 10.20, which didn't have universal pam support from HP, but I
don't know any details.

For better or for worse, if the OpenSSH install looks for /etc/pam.d, it
will bypass any HP-UX 11.0 compatibility issues :-)

- Alan

--
Alan Millar                  Email: Alan.Millar at LPCorp.com
Unix System Administrator    Voice: 503-624-9004 x3014
Louisiana-Pacific            Fax:   509-692-3948