
sun.com \| docs.sun.com	How To Buy \| My Sun \| Worldwide Sites

Previous Contents Index Next Next

PAM (Task Map)

Task	Description	For Instructions
Plan for your PAM Installation	Consider configuration issues and make decisions about them before you start the software configuration process.	Planning for PAM
Add new PAM modules	Sometimes, site-specific modules must be written and installed to cover requirements that are not part of the generic software. This procedure covers the installation process.	How to Add a PAM Module
Block access through `~/.rhosts`	Steps to further increase security by preventing access through `~/.rhosts`.	How to Prevent Unauthorized Access From Remote Systems With PAM
Initiate error reporting	Steps to start the reporting of PAM error messages through `syslog`.	How to Initiate PAM Error Reporting

Planning for PAM

When you are deciding how best to use PAM in your environment, start by focusing on these issues:

Determine what your needs are, especially which modules you should select.
Identify the services that need special attention. Use OTHER if appropriate.
Decide on the order in which the modules should be run.
Select the control flag for each module.
Choose any options that are necessary for each module.

Here are some suggestions to consider before you change the PAM configuration file:

Use the OTHER entry for each module type so that every application does not have to be included.
Make sure to consider the security implications of the sufficient and optional control flags.
Review the man pages that are associated with the modules. These man pages can help you understand how each module functions, what options are available, and the interactions between stacked modules.

Caution - If the PAM configuration file is misconfigured or the file becomes corrupted, even superuser might be unable to log in. Since the sulogin command does not use PAM, superuser would then be required to boot the machine into single-user mode and fix the problem.
After you change the /etc/pam.conf file, review the file as much as possible while you are still logged in as superuser. Test all the commands that might have been affected by your changes. An example is adding a new module to the telnet service. In this example, you use the telnet command and verify that your changes make the service behave as expected.

How to Add a PAM Module

Become superuser or assume an equivalent role.

Determine which control flags and which other options should be used.
Refer to PAM Modules information on the modules.

Copy the new module to /usr/lib/security/sparcv9.
In the Solaris 8 release, the module should be copied to /usr/lib/security.

Set the permissions so that the module file is owned by root and that permissions are 555.

Edit the PAM configuration file, /etc/pam.conf, and add this module to the appropriate services.

Verification

You must test before the system is rebooted in case the configuration file is misconfigured. Run rlogin, su, and telnet before you reboot the system. The service might be a daemon that is spawned only once when the system is booted. Then you must reboot the system before you can verify that the module has been added.

How to Prevent Unauthorized Access From Remote Systems With PAM

Remove the rlogin auth rhosts_auth.so.1 entry from the PAM configuration file. This step prevents the reading of the ~/.rhosts files during an rlogin session. Therefore, this step prevents unauthenticated access to the local system from remote systems. All rlogin access requires a password, regardless of the presence or contents of any ~/.rhosts or /etc/hosts.equiv files.

Note - To prevent other unauthenticated access to the ~/.rhosts files, remember to disable the rsh service. The best way to disable a service is to remove the service entry from the /etc/inetd.conf file. Changing the PAM configuration file does not prevent the service from being started.

How to Initiate PAM Error Reporting

Edit the /etc/syslog.conf file to add any of the following entries for PAM error reporting:
- auth.alert - Messages about conditions that should be fixed immediately
- auth.crit - Critical messages
- auth.err - Error messages
- auth.info - Informational messages
- auth.debug - Debugging messages

Restart the syslog daemon, or send a SIGHUP signal to the daemon to activate the PAM error reporting.

Example--Initiating PAM Error Reporting

In the following example, all alert messages are displayed on the console. Critical messages are mailed to root. Informational and debug messages are added to the /var/log/pamlog file.

auth.alert	/dev/console
auth.crit	'root'
auth.info;auth.debug	/var/log/pamlog

Each line in the log contains a time stamp, the name of the system that generated the message, and the message. The pamlog file is capable of logging a large amount of information.

PAM (Reference)

PAM uses run-time pluggable modules to provide authentication for system entry services. A stacking feature is provided to let you authenticate users through multiple services. Also provided is a password-mapping feature to not require that users remember multiple passwords.

PAM Modules

Every PAM module implements a specific mechanism. When you set up PAM authentication, you need to specify both the module and the module type, which defines what the module does. More than one module type, such as auth, account, session, or password, can be associated with each module.

The following table describes every PAM module, and includes the module name and the module file name. The path of each module is determined by the instruction set that is available in the Solaris release that is installed. The default path to the modules is /usr/lib/security/$ISA. The value for $ISA could be sparc or i386. See the isalist(5) man page for more information.

Table 10-1 PAM Modules

Module Name and Module File Name	Description
`authtok_check` `pam_authtok_check.so.1`	Provides support for password management. This module performs various checks on passwords. Those check are for the length of the password, for circular shift of the login name, for password complexity, and for the amount of variation between new passwords and old passwords. See `pam_authtok_check`(5) for more information.
`authtok_get` `pam_authtok_get.so.1`	Provides password prompting for authentication and password management. See `pam_authtok_get`(5) for more information.
`authtok_store` `pam_authtok_store.so.1`	Provides support for authentication only. This module updates the authentication token for the user. After the successful update, the module stores the token in the specified repository or default repository. See `pam_authtok_store`(5) for more information.
`dhkeys` `pam_dhkeys.so.1`	Provides support for Diffie-Hellman key management in authentication. This module supports Secure RPC authentication and Secure RPC authentication token management. See `pam_dhkeys`(5) for more information.
`dial_auth` `pam_dial_auth.so.1`	Can only be used for authentication. This module uses data that is stored in the `/etc/dialups` and `/etc/d_passwd` files for authentication. This module is mainly used by the `login` command. See `pam_dial_auth`(5) for more information.
`krb5` `pam_krb5_auth.so.1`	Provides support for authentication, account management, session management, and password management. Kerberos credentials are used for authentication. See `pam_krb5`(5) for more information.
`ldap` `pam_ldap.so.1`	Provides support for authentication and password management. Data from an LDAP server are used for authentication. See `pam_ldap`(5) for more information.
`projects` `pam_projects.so.1`	Provides support for account management. See `pam_projects`(5) for more information.
`rhosts_auth` `pam_rhosts_auth.so.1`	Can only be used for authentication. This module uses data that is stored in the `~/.rhosts` and `/etc/host.equiv` files through the `ruserok()` routine. This module is mainly used by the `rlogin` and `rsh` commands. See `pam_rhosts_auth`(5) for more information.
`roles` `pam_roles.so.1`	Provides support for account management only. The RBAC `user_attr` database determines which roles a user can assume. See `pam_roles`(5) for more information.
`sample` `pam_sample.so.1`	Provides support for authentication, account management, session management, and password management. Used for testing. See `pam_sample`(5) for more information.
`smartcard` `pam_smartcard.so.1`	Provides support for authentication only. See `pam_smartcard`(5) for more information.
`unix` `pam_unix.so.1`	Provides support for authentication, account management, session management, and password management. Any of the four module type definitions can be used with this module. This module uses UNIX passwords for authentication. In the Solaris environment, the selection of appropriate name services to get password records is controlled through the `/etc/nsswitch.conf` file. See `pam_unix`(5) for more information.
`unix_account` `pam_unix_account.so.1`	Provides support for account management. This module retrieves password aging information from the repository that is specified in the `nsswitch.conf` file. Then the module verifies that the password and the user's account have not expired. See `pam_unix_account`(5) for more information.
`unix_auth` `pam_unix_auth.so.1`	Provides support for authentication. This module verifies the password that is contained in the PAM handle. The module checks that the user's password matches the password in the specified repository or default repository. See `pam_unix_auth`(5) for more information.
`unix_session` `pam_unix_session.so.1`	Provides support for session management. This module initiates session management by updating the `/var/adm/lastlog` file. See `pam_unix_session`(5) for more information.

For security reasons, these module files must be owned by root and must not be writable through group or other permissions. If the file is not owned by root, PAM does not load the module.

Previous Contents Index Next Next