Please enter search query.
Search <product_name> all support & community content...
Article: 100032086
Last Published: 2016-03-10
Ratings: 0 0
Product(s): NetBackup & Alta Data Protection
Problem
How the Pluggable Authentication Mechanism worksPluggable Authentication Mechanism (PAM) is a framework that allows dynamic integration of authentication mechanisms into the existing applications and services seamlessly. PAM allows system administrators to add or remove authentication mechanisms from the existing services without having to change the actual services themselves. Services, on their part, will code to the PAM API once and let the PAM interface handle the actual authentication part based on the authentication mechanisms defined at that point for that service. A single service can be configured to go through multiple authentication mechanisms in order to authenticate the clients.
A PAM plugin to the VERITAS Authentication service (VxAT) enables customers to make use of their existing PAM authentication modules to authenticate their clients through VxAT and acquire VERITAS credentials.
Functional description
VxAT PAM plugin acts as a bridge between the AT clients and the PAM modules being deployed on the AT broker machine. The administrator of the AT broker machine will define the actual PAM modules that need to be invoked for the VxAT authentication. There could be a separate service name for VxAT authentication or it could be based on an existing service name like ‘login’. (The default service name is ‘login.')
Each of the deployed PAM authentication modules will be associated with a control flag that specifies whether the authentication through that module must succeed or not. Based on the overall authentication results from all the modules, the OS PAM interface will determine whether the authentication process is successful or not and convey that result to the AT PAM plugin. Upon successful authentication, the AT broker will issue a Product credential to the client.
Authentication process using PAM plugin
- Client sends an authentication request to AT server by specifying pam as the authentication type and by specifying optional parameters. (user id, prompt to get the user id, etc)
- To change the PAM service name used by VxAT, use the vssat command to specify the alternate PAM service name. For example, to use NewName instead of login:
- To change the PAM service name used by bpjava-msvc, create a text file /usr/openv/netbackup/pam_service.txt that contains the alternate PAM service name. For example, to use NewName instead of login,
2. Upon the PAM authentication request, the PAM plugin will initiate an authentication session with the underlying OS PAM interface by specifying the PAM service name, a conversation function to talk to the client (also known as a callback routine) and an optional user id, if available.
If the user id is not specified with the initial authentication request, PAM modules will request it through the callback and they must set it in the PAM context. Otherwise, the authentication broker will not be able to issue a credential.
3.The OS PAM interface will invoke all the PAM modules defined for that service, one by one.
4.If any of these modules require additional information to complete the authentication, then they will send a request to PAM plugin through the callback.
5.The PAM plugin, in turn, will relay this request to the client and sends the client’s response back to the PAM module. There could be any number of requests from the PAM module to the client. The PAM plugin will not interpret the data passed between the PAM modules and the client,
however the PAM plugin does expect the password prompt to contain the string "password" or "Password".
(Note: before NetBackup 7.6, the PAM plugin expected a case-sensitive exact match for the string "Password:". Starting in NetBackup 7.6, the PAM plugin expects a case-insensitive substring match for the string "password".)
6.After invoking all (or some) of the PAM modules, the OS PAM interface will determine whether the authentication is successful or not by analyzing the results from each of them and conveying that result to PAM plugin.
7.Upon successful authentication, the PAM plugin will retrieve the user identity from the PAM context and set it as the identity for which the credential needs be issued.
8.The AT Broker will issue a credential for the given user identity with the Subject field containing the user id and the broker host name.
Group information for the user will be retrieved using the standard OS APIs.The PAM interface itself will not provide this information directly. However, the system can be configured with a custom PAM plugin to return the group information. This could be done by providing an nss_pam library and setting pam as one of the providers for group information in /etc/nsswitch.conf. That would be external to the AT PAM plugin.
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.