TACF-PAM Integration Module

This chapter describes the TACF-PAM integration module.

1. Overview

In PAM-integrated user authentication, the following functions are used.

When TACF connects with PAM (Pluggable Authentication Module) during the login process, the safp tool performs the first level authentication. If successful, TACF performs the subsequent authentication. If both PAM and TACF authentications are successful, the logged-in user session is managed in TACF. Therefore, a user ID registered in PAM must be also registered in TACF.

TACF can manage resource access control by using the information about the session between TACF and the user created during the login process.

2. TACF Configuration

To perform PAM authentication, the VALUE of the PAM_AUTH key must be set to YES, in the AUTH_METHOD from the saf subject, under OpenFrame Configuration.

$ ofconfig list -s saf -sec AUTH_METHOD -k PAM_AUTH

===================================================================================
  SUBJECT   |     SECTION      |         KEY         |            VALUE
===================================================================================
    saf     |   AUTH_METHOD    |       PAM_AUTH      |             YES
===================================================================================

For more information about the saf subject, refer to OpenFrame Configuration Guide.

3. safp

safp is a user authentication program supported in TACF and performs the following:

Authenticates a user
Checks the validity of a user account.
Authenticates a password and check whether the account is expired.

Executing safp requires creating a configuration file, which must be defined in either /etc/pam.d/safp or /etc/pam.conf. The following example creates a configuration file in Linux.

# safp authorization
auth    required    pam_unix.so
account required    pam_unix.so

Authentication with safp requires the superuser privilege.

The following example configures setuid as ROOT.

chown root:root safp     /* Change owner to root. */
chmod u+s safp           /* Set setuid as root. */

Syntax

safp uses the following options to perform PAM authentication.

safp [-d userid passwd | -v]

Options

Option Description

[-d userid passwd ]

Debugging option. Users registered in PAM are given access but those not registered generate an error message.

[-v]

Help message option.

Option	Description
[-d userid passwd ]	Debugging option. Users registered in PAM are given access but those not registered generate an error message.
[-v]	Help message option.

4. Note

Note the following when using the TACF-PAM integration module.

The length of the USERID both in TACF and PAM cannot exceed 8 characters.
ROOT permission is required to access the PAM module. Set setuid to ROOT for PAM authentication related modules.
safp enables user authentication and the validity check function for user accounts. However, it does not support session and password management.