Authentication modes with PAM
The pluggable authentication mode (PAM) determines whether a user can authenticate by providing a password, responding correctly to a challenge, or a combination of both.
You can use either authentication mode for Client SDK connections. You can use the password authentication mode for Distributed Relational Database Architecture™ (DRDA®) connections.
The PAM implementation in HCL® OneDB® takes advantage of the fact that for explicit connection requests, the client sends a password to the server. You can set up PAM to make this password the only requirement for authentication to the server.
When you configure PAM to use the challenge-response protocol, authentication is complete after the user enters the correct reply to a question or other prompt. With this authentication mode, an application must be designed to respond to the challenge prompt correctly before it connects to the database server. You can set up PAM authentication to use the challenge-response mode only so that PAM ignores the client connection password.
For Linux™ platforms, if PAM is configured to authenticate users with the challenge-response protocol, the password from the client is ignored always. The PAM service on Linux prompts for the user password a second time if both password and challenge-response authentication are enabled.