Enforcing access rights on AIX computers

If you are using the AIX Loadable Authentication Module (LAM), users who do not have the PAM login-all right can still log in. For example, an Active Directory user joined to the zone with the AIX computer and assigned to a role that does NOT include the login-all right can, in fact, log in to the AIX servers using the LAM interface. This is because the LAM interface does not use the rights defined in the user’s Centrify role to control access. If the same server is configured with the PAM authentication module, that user would not be able to log in.

To control user log in activity, you have two choices:

  • Keep the LAM interface and use one of the following PAM configuration parameters to define who has or does not have access:
    • pam.allow.groups: This configuration parameter specifies the groups allowed to access PAM-enabled applications.
    • pam.allow.users: This configuration parameter specifies the users who are allowed to access PAM-enabled applications.
    • pam.deny.groups: This configuration parameter specifies the groups that should be denied access to PAM-enabled applications.
    • pam.deny.users: This configuration parameter specifies the users that should be denied access to PAM-enabled applications.
  • Replace the LAM interface with PAM. See the IBM AIX documentation for the instructions. The conversion procedure is fairly simple, however, you should test all applications on the server to ensure that they work the same with PAM. In addition, if you are using Centrify OpenSSH there are two versions: one for LAM and one for PAM. Both a LAM and PAM versions are distributed in the package. If you convert to PAM, uninstall the LAM version and install the PAM version.