A Pluggable Authentication Module (PAM) is a well-defined framework for supporting different authentication modules originally developed by Sun Microsystems.
PAM enables system administrators to implement different authentication mechanisms for different applications. For example, the needs of a system like the UNIX login program might be different from an application that accesses sensitive information from a database. PAM allows for many such scenarios in a single machine, because the authentication services are attached at the application level.
In addition to enabling an application to select the authentication as needed, PAM permits module stacking. Many modules can be stacked one after another, thus enabling the application to be authenticated in multiple ways, before granting access. PAM provides a set of APIs to support authentication, account Management, session Management and password management.
The system administrator can enable or disable the use of PAM. By default, the database server uses the traditional Informix authentication mechanism (which is based on the BSD rhosts mechanism) in order to avoid forcing major changes on users.
To use PAM with Dynamic Server:
These changes are discussed in more detail below.
PAM is supported on Solaris and Linux, in both 32- and 64-bit modes.
On HP-UX and AIX, PAM is supported in 32-bit mode only.
The PAM service name identifies the PAM module. This PAM module typically resides in /usr/lib/security and its parameters are listed in the file /etc/pam.conf.
In Linux, /etc/pam.conf can be replaced with a directory called /etc/pam.d, where there is a file for each PAM service. If /etc/pam.d exists, /etc/pam.conf will be ignored by Linux. See the system documentation for the details of this configuration file.
The PAM module determines whether a simple password is sufficient or other challenges are required. The PAM implementation in Dynamic Server takes advantage of the fact that for explicit connections, a password is sent to the server by the client. This password can be used to satisfy PAM in cases where a simple password is used. If the authentication mode involves responding to challenges, the applications must be prepared to respond to them. The application must be aware that the PAM module might raise multiple challenges.
The PAM feature loads OS or third-party PAM modules (shared libraries) into the informix user thread. The stack size requirements of these PAM modules cannot be predicted. For instance, on Linux some modules need more than 128K of stack space. Use the PAM_STACKSIZE configuration parameter to customize the stack size for PAM modules. The default value of PAM_STACKSIZE is 32 KB.
For example, set PAM_STACKSIZE in the ONCONFIG file as follows:
PAM_STACKSIZE 64 # Stack size needed for the PAM modules (K Bytes)
On Linux, the default value is 128 KB plus the value of the STACKSIZE configuration parameter.
PAM is a challenge oriented system, in that the authentication response (the password) is supplied in response to a PAM message. In implicit connections to the database server, there is no password.
Therefore, implicit connections can work under PAM only in challenge mode. Implicit connections in password mode will result in failure.
To configure a server to use PAM, the system administrator must know:
The following example shows an sqlhosts entry with illustrative names:
Authentication mode: challenge ifxserver2 oltlitcp servermc portnum2 options where options are "s=4, pam_serv=(pam_pass), pamauth=(challenge)"
PAM service: pam_password (Needs only a password)
Authentication mode: password ifxserver2 oltlitcp servermc portnum2 options where options are "s=4, pam_serv=(pam_pass), pamauth=(password)"
Enterprise Replication and High-Availability Data Replication (HDR) cannot respond to challenges, if the authentication scheme calls for it. For this reason, Enterprise Replication and HDR must not be configured in the port using PAM. For information on the facility to dedicate ports to Enterprise Replication and HDR, see Enterprise Replication and High-Availability Data Replication Connection Security Option.
The process for preparing an application to respond to challenges raised by PAM is the same process to use when responding to challenges raised by LDAP Authentication Support modules. For more information, see Application Development for Authentication Modules.
Distributed transactions, APIs that support PAM, and compatibility issues with other IBM Informix products and tools are the same for both PAM and LDAP Authentication Support modules. For more information, see Distributed Transactions, Client APIs and Authentication Support Modules, and Compatibility Issues.
Home | [ Top of Page | Previous Page | Next Page | Contents | Index ]