Skip to main content

PAM

Introduction

This manual instructs you on how to manage the Password Authentication Module (PAM) on the KOBIL Smart Security Management Server (SSMS). Find a detailed description of all the settings in the administrator manual for the Kernel module. With the Password Authentication Module, you can manage the passwords of the users and lock and unlock the users. The PAM module can be used in combination with other modules. For this, the module-specific dependencies must be observed.

General information

This manual is aimed at the operators who install, configure and use the KOBIL Smart Security Management Server. The document is also intended for the administrators responsible for the management system and for user password management.

This manual only describes specifically how to use the Password Authentication Module (PAM). It does not describe the other modules of the SSMS, which must be necessarily used with the main module (Kernel). For information about the other modules and documents for the administration of the SSMS, contact the support team.

Version dependent validity of the manual

As you can add the various modules to the KOBIL SSMS independently from each other, different versions of the individual modules exist. To ensure compatibility of the versions, note the overview about the version compatibility in the installation manual of the KOBIL SSMS.

PAM only depends on the Kernel module. However, dependencies concerning the modules that use PAM may exist (please see the Installation Manual).

CHAP compatibility

As default, Password Authentication Module will store passwords as an encrypted and salted hash value. When using Password Authentication Module with CHAP protocol, for example together with SecOVID module and respective RADIUS connector, passwords need to be accessible in plaintext (see also https://tools.ietf.org/rfc/rfc1994.txt , Section 2.2). In order to support CHAP, passwords can be individually stored in CHAP compatible mode. In this mode, SSMS additionally stores passwords encrypted using DB-encryption facility. Stored values are individualized per user. That means that actually stored values will differ even if two users chose the same password. Additionally, all verifications that do not require plaintext passwords still compare salted hashes, so passwords are decrypted only, if required.

If you want to utilize CHAP compatibility, please make sure that you select respective Advanced Setting (see Chapter 1.4). Please note that you still can individually overrule this setting, when changing or creating passwords from UI or, using an additional and optional parameter, from Management SOAP interface. However, all user initiated password changes, for example using SecOVID with RADIUS in PAP mode, will entirely decide based on this Advanced Setting on how to store.

Password Authentication Module

The Password Authentication Module (PAM) manages and verifies the passwords as well as their related users. Consequently, the security features already existing in other modules can be reinforced.

The menu option “Password Authentication Module” leads to the views and functions to individually manage the passwords and users. The following are the views of this module:

  • Users
  • Reporting
  • Advanced-Settings

Prerequisite for the use of this module is an already installed kernel module. Find more details about the module installation in the SSMS installation manual.

To manage the passwords and users, the GUI and the SOAP interface provide certain functions. This module does not provide command line tools for accessing the SOAP functions. The SOAP interface can be used to integrate the server into the existing IT infrastructure.

On the management node, you can carry out the following tasks: add, remove, lock and unlock users, set the password state, watch the reporting view and adjust the configuration of the module.

The SOAP functions provided on the services node verify the passwords and the corresponding users and can be integrated into a Web Portal to verify the users and passwords already registered on the server.

Role Management in Password Authentication Module

A role must be assigned to each operator of the system. The division into different roles defines the authorizations of every single operator. Please find information on how to create roles and assign them permissions in the manual for the Kernel module.

Please find the roles and authorizations to use the Management SOAP interface in the description of the single methods in chapter 2.5. The services SOAP interface is secured via SSL server authentication and does not require any other authentication of a user.