Before installing the Linux PAM Client, AIX machine must be configured to use LDAP based user accounts and user groups from an Active Directory.
Prerequisite:
It is required to define /bin/false as a shell on AIX machine. Navigate to /etc/security/login.cfg and add /bin/false under shells attribute.
To install Linux PAM Client on the AIX server:
Run the following command:
rpm -ivh naaf-aixclient-aix-release-<version>.rpm
To enable the Linux PAM Client, perform the following:
Edit the /opt/pam_aucore/etc/pam_aucore.conf and add discovery.host: <AA Server ip/DNS>
Execute the following commands to restart the Cache service:
stopsrc -s aaacache
startsrc -s aaacache
Edit the /etc/pam.conf file
Comment existing sshd under Authentication section and add the following line to use Advanced Authentication pam_aucore:
sshd auth required /opt/pam_aucore/lib/pam_aucore.so
NOTE:Do not modify sshd under Account Management, Password Management, and Session Management. Retain the default settings of pam_aix.
For more information, see Enable ssh on AIX.
Edit /etc/ssh/sshd_config and add the following parameters:
ChallengeResponseAuthentication yes
UsePAM yes
NOTE:If the parameter UsePAM is existing and set to no then modify the value to yes.
Edit /etc/security/login.cfg and set auth_type = PAM_AUTH instead of STD_AUTH.
Execute the following commands to restart sshd:
stopsrc -s sshd
startsrc -s sshd
To uninstall Linux PAM Client on AIX server, run the following command:
rpm -e pam_aucore
NOTE:After you uninstall the Linux PAM Client, it is required to revert the changes that have been made to the following files:
/etc/pam.conf
/etc/ssh/sshd_config
/etc/security/login.cfg