Pluggable Authentication Module is an authentication framework used in Unix systems. In SSH Tectia, support for PAM is enabled as a submethod of keyboard-interactive authentication.
When PAM is used, SSH Tectia Server transfers the control of authentication to the PAM library, which will then load the modules specified in the PAM configuration file. Finally, the PAM library tells SSH Tectia Server whether or not the authentication was successful. SSH Tectia Server is not aware of the details of the actual authentication method employed by PAM. Only the final result is of interest.
The following example shows settings for keyboard-interactive authentication using the PAM submethod in the
<authentication-methods> <authentication action="allow"> <auth-keyboard-interactive max-tries="3" failure-delay="2"> <submethod-pam dll-path="path-to-pam-dll" /> </auth-keyboard-interactive> ... </authentication> </authentication-methods>
On Windows, using the SSH Tectia Server Configuration tool, keyboard-interactive authentication can be configured on the Authentication page. See Authentication.
SSH Communications Security does not provide technical support on how to configure PAM. Our support only covers SSH Tectia applications.
On some systems, the calls used in user account management are not necessarily reentrant. These system calls are most likely used in several PAM modules, some of which might not serialize the access to those calls. As a consequence, the PAM authentication needs to be serialized. It is also possible that the PAM modules themselves are not reentrant, which requires the access to PAM to be serialized fully.
SSH Tectia Server can use a simple lock to serialize the PAM authentication calls. The setting is enabled explicitely by adding an enviroment variable
SSH_PAM_POLICY either by editing the
init.d/ssh-server-g3 script or manually before starting the server.
The environment variable
SSH_PAM_POLICY takes one of the following values:
NONENo serialization. This is the default.
PARTIALOnly the actual PAM code is serialized. This is the recommended setting.
FULLThe whole PAM call is serialized.
FULLoption only if the system uses a PAM module that does not function reliably with the policy set to
SSH_PAM_POLICY=FULLis used with authentication methods requiring user interaction, only a single user interaction can be active at a time and all other users are forced to wait until the active user has finished authentication.
The following are examples of different PAM configurations.
/etc/pam.d/ssh-server-g3 file on Red Hat Linux:
auth required /lib/security/pam_pwdb.so shadow nullok auth required /lib/security/pam_nologin.so account required /lib/security/pam_pwdb.so password required /lib/security/pam_cracklib.so password required /lib/security/pam_pwdb.so shadow nullok use_authtok session required /lib/security/pam_pwdb.so
On SUSE LINUX, the configuration is otherwise the same but
pam_unix.so is used instead of
On Solaris versions 8 and 9 (and earlier), the
/etc/pam.conf entry is as follows:
ssh-server-g3 auth required /usr/lib/security/pam_unix.so debug ssh-server-g3 account required /usr/lib/security/pam_unix.so debug ssh-server-g3 password required /usr/lib/security/pam_unix.so debug ssh-server-g3 session required /usr/lib/security/pam_unix.so debug
On Solaris 10, the
pam_unix.so module is no longer supported, but similar functionality is provided by other modules. If needed, a specific PAM library path can be specified in the SSH Tectia Server configuration file
ssh-server-config.xml in the
submethod-pam element with the
The following is an example on how to configure PAM to use LDAP authentication on a Red Hat machine. Before trying this setup, verify that PAM works for local accounts.
In the file
/etc/pam.d/ssh-server-g3, add the following:
auth required /lib/security/pam_ldap.so account required /lib/security/pam_ldap.so password required /lib/security/pam_ldap.so session required /lib/security/pam_ldap.so
In the file
/etc/nsswitch.conf, add the following:
passwd: files ldap shadow: files ldap group: files ldap
In the file
/etc/ldap.conf, add the following:
host ldapserver.company.com base dc=company,dc=com ldap_version 3 port 389 scope one pam_min_uid 10000 pam_max_uid 20000 nss_base_passwd ou=accounts,dc=company,dc=com?one nss_base_shadow ou=accounts,dc=company,dc=com?one nss_base_group ou=groups,dc=company,dc=com?one ssl no pam_password md5
This is just an example and needs to be modified according to your LDAP server configuration.