sun.com   |  docs.sun.com
How To Buy  |  My Sun  |  Worldwide Sites
         
 
Sun Microsystems Logo
 Products and Services
 		 Support and Training
 
 
System Administration Guide: Security Services 

Previous Previous     Contents     Index     Next Next
Chapter 10

Using PAM

This chapter covers the Pluggable Authentication Module (PAM) framework. PAM provides a method to "plug in" authentication services and provides support for multiple authentication services.

PAM (Overview)

The Pluggable Authentication Module (PAM) framework lets you "plug in" new authentication technologies without changing system entry services, such as login, ftp, telnet, and so on. You can also use PAM to integrate UNIX login with other security mechanisms like Kerberos. Mechanisms for account, session, and password management can also be "plugged in" by using this framework.

Benefits of Using PAM

The PAM framework allows you to configure the use of system entry services (ftp, login, telnet, or rsh, for example) for user authentication. Some benefits that PAM provides are as follows:

  • Flexible configuration policy

    • Per application authentication policy

    • The ability to choose a default authentication mechanism

    • Multiple passwords on high-security systems

  • Ease of use for the end user

    • No retyping of passwords if the passwords are the same for different mechanisms.

    • The ability to prompt the user for passwords for multiple authentication methods without having the user enter multiple commands.

  • The ability to pass optional parameters to the user authentication services

PAM Components

The PAM software consists of a library, several modules, and a configuration file. New versions of several commands or daemons that take advantage of the PAM interfaces are also included.

The following figure illustrates the relationship between the applications, the PAM library, the pam.conf file, and the PAM modules.

Figure 10-1 How PAM Works

Diagram shows how the PAM library is situated between the PAM modules and the applications that use the modules.

The applications, such as ftp, telnet, and login, use the PAM library to call they configuration policy. The pam.conf file defines which modules to use, and in what order the modules are to be used with each application. Responses from the modules are passed back through the library to the application.

The following sections describe the relationship between the PAM components and the applications.

PAM Library

The PAM library provides the framework to load the appropriate modules and to manage the stacking process. The PAM library provides a generic structure to which all of the modules can plug in. See the pam.3PAM XREF man page for more information.

Password-Mapping Feature

The stacking feature can require that a user remembers several passwords. With the password-mapping feature, the primary password is used to decrypt the other passwords. The user does not need to remember or enter multiple passwords. The other option is to synchronize the passwords across each authentication mechanism. This strategy could increase the security risk, because the mechanism security is limited by the least secure password method that is used in the stack.

Changes to PAM for the Solaris 9 Release

The Solaris 9 release includes several enhancements to the PAM service. The following list highlights the most important changes:

  • To accommodate proper stacking, the pam_unix module is broken into single service modules. These modules provide the same capabilities as in the pam_unix module. The capabilities are provided by the following modules:

    • pam_authtok_get

    • pam_authtok_check

    • pam_authtok_store

    • pam_unix_auth

    • pam_dhkeys

    • pam_passwd_auth

    See PAM Modules for information about the new modules.

  • The ssh service name was added. See Valid Service Names for PAM for information about the PAM services.

  • The PAM configuration file was updated. See Generic pam.conf File for information about the configuration file.

Changes to PAM for the Solaris 9 Update 2 Release

Update 2 includes a new binding control flag. This flag provides the ability to skip additional authentication if the service module returns success and if no preceding required modules have failed. The control flag is documented in the pam.conf(4) man page and in PAM Control Flags.

PAM (Tasks)

This section discusses some tasks that might be required to make the PAM framework fully functional. In particular, you should be aware of some security issues that are associated with the PAM configuration file.

Previous Previous     Contents     Index     Next Next
 
Copyright 1994-2003 Sun Microsystems