Pluggable Authentication Methods (System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP))

System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP)

Pluggable Authentication Methods

By using the PAM framework, you can choose among several authentication services, including pam_unix, pam_krb5, and pam_ldap.

If the per-user authentication method is used, pam_krb5, the strongest authentication service of the three methods listed above, must be enabled. See pam_krb5(5) and the System Administration Guide: Security Services.

The pam_krb5 authentication system may be used even if per-user authentication is not enabled. If proxy or anonymous credential levels are used to access directory server data then restricting access to directory data on a per-user basis is not possible.

Because of its increased flexibility, support of stronger authentication methods, and ability to use account management, the use of pam_ldap is recommended over the use of pam_unix when anonymous or proxy authentication methods are used.

`pam_unix` Service Modules

If you have not changed the pam.conf(4) file, pam_unix functionality is enabled by default.

Note –

The pam_unix module has been removed and is no longer supported with Solaris. A set of other service modules provides equivalent or greater functionality. Therefore, in this guide, pam_unix refers to the equivalent functionality, not to the pam_unix module itself.

Following is a list of the modules that provide the equivalent pam_unix functionality.

pam_unix follows the traditional model of UNIX authentication, as described in the following list.

The client retrieves the user's encrypted password from the name service.
The user is prompted for the user's password.
The user's password is encrypted.
The client compares the two encrypted passwords to determine whether the user should be authenticated.

Additionally, there are two restrictions when using pam_unix.

The password must be stored in UNIX crypt format and not in any other encryption methods, including clear.
The userPassword attribute must be readable by the name service.

For example, if you set the credential level to anonymous, then anyone must be able to read the userPassword attribute. Similarly, if you set the credential level to proxy, then the proxy user must be able to read the userPassword attribute.

Note –

pam_unix is not compatible with the sasl authentication method digest-MD5, since Sun Java System Directory Server requires passwords to be stored in the clear in order to use digest-MD5. pam_unix requires the password be stored in crypt format.

Note –

pam_unix supports account management when the enableShadowUpdate switch is set to true. The controls for a remote LDAP user account are applied just as the controls are applied to a local user account that is defined in the passwd and shadow files. In enableShadowUpdate mode, for the LDAP account, the system updates and uses the shadow data on the LDAP server for password aging and account locking. Of course, the shadow data of the local account only applies to the local client system, whereas the shadow data of an LDAP user account applies to the user on all client systems.

Password history checking is only supported for the local client, not for an LDAP user account.

`pam_krb5` Service Module

Refer to pam_krb5(5) and the System Administration Guide: Security Services.

`pam_ldap` Service Module

When implementing pam_ldap, the user binds to the LDAP server by using the authentication method defined in pam_ldap's serviceAuthenticationMethod parameter, if one exists. Otherwise, authenticationMethod is used.

If pam_ldap is able to bind to the server with the user's identity and supplied password, it authenticates the user.

Note –

Previously, if you enabled pam_ldap account management, all users needed to provide a login password for authentication any time they logged in to the system. Therefore, nonpassword-based logins using tools such as rsh, rlogin, or ssh would fail.

Now, however, pam_ldap(5), when used with Sun Java System Directory Servers DS5.2p4 and newer releases, enables users to log in with rsh, rlogin, rcp and ssh without giving a password.

pam_ldap(5) is now modified to perform account management and retrieve the account status of users without authenticating to Directory Server as the user logging in. The new control to this on Directory Server is 1.3.6.1.4.1.42.2.27.9.5.8, which is enabled by default.

To modify this control for other than default, add Access Control Instructions (ACI) on Directory Server:

dn: oid=1.3.6.1.4.1.42.2.27.9.5.8,cn=features,cn=config
objectClass: top
objectClass: directoryServerFeature
oid:1.3.6.1.4.1.42.2.27.9.5.8
cn:Password Policy Account Usable Request Control
aci: (targetattr != "aci")(version 3.0; acl "Account Usable"; 
     allow (read, search, compare, proxy)
     (groupdn = "ldap:///cn=Administrators,cn=config");)
creatorsName: cn=server,cn=plugins,cn=config
modifiersName: cn=server,cn=plugins,cn=config

pam_ldap does not read the userPassword attribute. Therefore, there is no need to grant access to read the userPassword attribute unless there are other clients using pam_unix. Also, pam_ldap does not support the none authentication method. Thus, you must define the serviceAuthenticationMethod or the authenticationMethod attributes so clients can use pam_ldap. See the pam_ldap(5) man page for more information.

Caution –

If the simple authentication method is used, the userPassword attribute can be read on the wire by third parties.

See Example pam.conf File for pam_ldap.

The following table summarizes the main differences between pam_unix, pam_ldap, and pam_krb5.

Table 9–5 Authentication Behavior in LDAP With pam_unix, pam_ldap, and pam_krb5


	`pam_unix`	`pam_ldap`	`pam_krb5`
Password Sent	Uses `passwd` service authentication method	Uses `passwd` service authentication method	Uses Kerberos single sign on technology, not passwords
New Password Sent	Encrypted	No encryption (unless TLS is used)	Uses Kerberos, no passwords are sent over the wire
New Password Stored	`crypt` format	Password storage scheme defined on Sun Java System Directory Server	Passwords are managed by Kerberos
Requires password read?	Yes	No	No
`sasl/digest-MD5` compatibility after changing password	No. Password is not stored in `clear`. User cannot authenticate.	Yes. As long as default storage scheme is set to `clear`, user can authenticate.	No. `sasl/GSSAPI` is used. There are no passwords over the wire and there are no passwords to be stored in the directory server, except when using a Kerberos kdc that manages its password database in the LDAP directory server.
Password policy supported?	Yes. `enableShadowUpdate` must be set to `true`.	Yes, if so configured.	See pam_krb5(5), Kerberos V5 Account Management Module.

PAM and Changing Passwords

Use the passwd command to change a password. If the enableShadowUpdate switch is not set to true, the userPassword attribute must be writable by the user. If the enableShadowUpdate switch is set to true, the admin credentials must be able to update the userPassword attribute. Remember that the serviceAuthenticationMethod for passwd-cmd overrides the authenticationMethod for this operation. Depending on the authentication method that is used, the current password might be unencrypted on the wire.

In the case of pam_unix, the new userPassword attribute is encrypted using UNIX crypt format and tagged before being written to LDAP. Therefore, the new password is encrypted on the wire, regardless of the authentication method used to bind to the server. See the pam_authtok_store(5) man page for more information.

If the enableShadowUpdate switch is set to true, pam_unix also updates the related shadow information when the user password is changed. pam_unix updates the same shadow fields in the local shadow files that pam_unix updates when the local user password is changed.

As of the Solaris 10 software release, pam_ldap no longer supports password update. The previously recommended use of pam_authtok_store with the server_policy option now replaces the pam_ldap password update capability. When you use pam_authtok_store, the new password is sent to the LDAP server in the clear. Therefore, to ensure privacy, use TLS. If TLS is not used, the new userPassword is subject to snooping. If you set an untagged password with Sun Java System Directory Server, the software encrypts the password by using the passwordStorageScheme attribute. For more information about the passwordStorageScheme, see the section on user account management in the Administration Guide for the version of Sun Java System Directory Server that you are using.

Note –

You need to consider the following configuration issues when setting the passwordStorageScheme attribute. If an NIS, or another client using pam_unix is using LDAP as a repository, then passwordStorageScheme needs to be crypt. Also, if using pam_ldap with sasl/digest-MD5 with Sun Java System Directory Server, passwordStorageScheme must be set to clear.