Documentation

PAM

Suggest Edits

Use Pluggable authentication modules (PAM) on systems where it is available to invoke password authentication services, account management services, and session start/end services.

pam

  • Version 3.5 and earlier:pam setting not available.
  • Version 4.0 and later:pam setting available.

The pam setting enables the use of PAM if set to yes, or disables it if set to no.

Example

pam yes

Default

pam no

Used on

  • Policy server hosts
  • Submit hosts
  • Run hosts

libpam

  • Version 5.1.1 and earlier:libpam setting not available.
  • Version 5.2 and later: libpam setting available.

libpam is a user-defined PAM library that EPM-UL uses as a first option in case the system does not use the standard default PAM libraries.

The notation used for AIX to specify the OS-provided PAM library is the following:

/usr/lib/libpam.a(shr.o)

Example

libpam /lib/libpam.so.1

Default

No default value

Used on

  • Policy server hosts
  • Submit hosts
  • Run hosts

pampasswordservice

  • Version 3.5 and earlier:pampasswordservice setting not available.
  • Version 4.0 and later:pampasswordservice setting available.

To use PAM password authentication and account management for password authentication, set pampasswordservice to the name of the PAM service to use.

  • On a policy server host, PAM password authentication is used for the getuserpasswd() function.
  • On a submit host, PAM password authentication is used when the submitconfirmuser() function is invoked by the policy server host’s policy.
  • On a run host, PAM password authentication is used when runconfirmuser is invoked by the policy server host’s policy.

📘

EPM-UL does not use the environment variables set by pam_env. EPM-UL can read environment variables from /etc/environment or some other file.

For more information, see environmentfile and runenvironmentfile.

Example

pampasswordservice login

Default

No default value

Used on

  • Policy server hosts
  • Submit hosts
  • Run hosts

ℹ️

Note

Many EPM-UL programs run as root. If you use a PAM service that allows root to bypass passwords (for example, su or anything containing rootok), then EPM-UL may also skip the password check.

pamsessionservice

  • Version 3.5 and earlier:pamsessionservice setting not available.
  • Version 4.0 and later: pamsessionservice setting available.

If you want PAM to perform account management and session start and end services to manage task requests on a run host, then set pamsessionservice to the name of the service that you want to use. pblocald invokes the account management and session start portions when the requested task starts, and invokes session end services when the requested task finishes.

For local mode, the client invokes the account management module when the runuser is different than the submitting user (user). Unless I/O logging is active, session start and end services are skipped.

In version 6.0 and later, EPM-UL uses ulimits that are set by pam_limits during PAM session start. If you do not want to honor the ulimits that are set by PAM, use the pam_session_prepb6 setting.

📘

EPM-UL does not use the environment variables that are set by pam_env. EPM-UL can read environment variables from /etc/environment or some other file.

For more information, see environmentfile and runenvironmentfile.

Example

pamsessionservice su

Default

No default value

ℹ️

Note

Some PAM services may update the syslog and the utmp or utmpx files. To avoid duplicate entries, you might need to set recordunixptysessions and syslogsessions to no.

Used on

  • Run hosts
  • Submit hosts by pbksh and pbsh

📘

For more information, see pam_session_prepb6 .

pamsuppresspbpasswprompt

  • Version 5.1.1 and earlier:pamsuppresspbpasswprompt setting not available.
  • Version 5.1.2 and later: pamsuppresspbpasswprompt setting available.

If you want to suppress the Endpoint Privilege Management for Unix and Linux password prompt when PAM authentication is enabled, then set pamsuppresspbpasswprompt to yes. Otherwise, if the Endpoint Privilege Management for Unix and Linux password prompt is required, then set pamsuppresspbpasswprompt to no.

ℹ️

Note

If the values of the user and runuser variables are different, the EPM-UL password prompt is always enabled, even if pamsuppresspbpasswprompt is set to yes.

Example

pamsuppresspbpasswprompt yes

Default

pamsuppresspbpasswprompt yes

Used on

  • Policy server hosts
  • Submit hosts
  • Run hosts

pam_session_prepb6

  • Version 5.2 and earlier:pam_session_prepb6 setting not available.
  • Version 6.0 and later: pam_session_prepb6 setting available.

Prior to EPM-UL version 6, the PAM session is called by the parent EPM-UL process. In version 6, the PAM session is called from the child process that runs the secured task. By setting pam_session_prepb6 to yes, you can revert to the old behavior.

Example

pam_session_prepb6 yes

Default

pam_session_prepb6 no

Used on

Run hosts

pamsetcred

  • Version 6.0 and earlier:pamsetcred setting not available.
  • Version 6.1 and later:pamsetcred setting available.

The pamsetcred keyword enables the pam_setcred() function, which is used to establish possible additional credentials of a user.

ℹ️

Note

This keyword does not apply to pbssh. If it is present in the settings file, it does not have any effect on pbssh and is ignored.

For Solaris projects, this sets the Project ID to the default project, or to a specified project. Other scenarios are possible, depending on the OS PAM implementation and configuration.

ℹ️

Note

The use of pam_setcred currently does not delete credentials after a session.

Example

pamsetcred yes

Default

pamsetcred no

Used on

Run hosts

Updated 5 days ago

©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.