Configure PAM Authentication

To configure PAM authentication on the server

1. Edit your PAM configuration settings to support the required modules: auth, account, password, and session. If required modules are not defined, the connection will be refused.

   On Linux systems, the following file is installed with the server:

   /etc/pam.d/ssh

   This file contains the default configuration information. For example, on SLES systems the ssh file includes the following:

   #%PAM-1.0
   auth     include        common-auth
   auth     required       pam_nologin.so
   account  include        common-account
   password include        common-password
   session  include        common-session

   On other systems, create (or configure) /etc/pam.conf. For example, on HP-UX:

   ssh auth     required  /usr/lib/security/libpam_unix.1
   ssh account  required  /usr/lib/security/libpam_unix.1
   ssh password required  /usr/lib/security/libpam_unix.1
   ssh session  required  /usr/lib/security/libpam_unix.1

2. Open the server configuration file (/etc/ssh2/sshd2_config) in a text editor.

3. Confirm that AllowedAuthentications (or RequiredAuthentications) includes keyboard-interactive as an allowed authentication method (the default).

4. Configure PamServiceName to identify the name of your PAM service.

   • Use the default (ssh) if your PAM modules are defined in /etc/pam.d/ssh.

     -or-

   • If your PAM modules are defined in pam.conf, the value of PamServiceName must match your service name (ssh in the example shown above). If ssh is not defined in pam.conf, you may be able to use the default service name other.

5. Configure the server to use PAM.

   To use PAM for	In the server configuration file, add
   Authentication and password management	AuthKbdInt.Required=pam
   Account management	AccountManagement=pam
   Session management	UsePamSessions=yes

6. (Optional) To include the words "PAM authentication" in the prompt that client users see during authentication, include the following:

   AuthKbdInt.Verbose=yes