System Administration Guide: Security Services

PAM (Tasks)

This section discusses some tasks that might be required to make the PAM framework use a particular security policy. You should be aware of some security issues that are associated with the PAM configuration file. For information about the security issues, see Planning for Your PAM Implementation.

PAM (Task Map)

Task	Description	For Instructions
Plan for your PAM installation.	Consider configuration issues and make decisions about them before you start the software configuration process.	Planning for Your PAM Implementation
Add new PAM modules.	Sometimes, site-specific modules must be written and installed to cover requirements that are not part of the generic software. This procedure explains how to install these new PAM modules.	How to Add a PAM Module
Block access through `~/.rhosts`.	Further increase security by preventing access through `~/.rhosts`.	How to Prevent Rhost-Style Access From Remote Systems With PAM
Initiate error logging.	Start the logging of PAM error messages through `syslog`.	How to Log PAM Error Reports

Planning for Your PAM Implementation

As delivered, the pam.conf configuration file implements the standard Solaris security policy. This policy should work in many situations. If you need to implement a different security policy, here are the issues that you should focus on:

Determine what your needs are, especially which PAM service modules you should select.
Identify the services that need special configuration options. Use other if appropriate.
Decide the order in which the modules should be run.
Select the control flag for each module. See How PAM Stacking Works for more information about all of the control flags.
Choose any options that are necessary for each module. The man page for each module should list any special options.

Here are some suggestions to consider before you change the PAM configuration file:

Use other entries for each module type so that every application does not have to be included in /etc/pam.conf.
Make sure to consider the security implications of the binding, sufficient, and optional control flags.
Review the man pages that are associated with the modules. These man pages can help you understand how each module functions, what options are available, and the interactions between stacked modules.

Caution –
If the PAM configuration file is misconfigured or the file becomes corrupted, no user might be able to log in. Because the sulogin command does not use PAM, the root password would then be required to boot the machine into single-user mode and fix the problem.

After you change the /etc/pam.conf file, review the file as much as possible while you still have system access to correct problems. Test all the commands that might have been affected by your changes. An example is adding a new module to the telnet service. In this example, you would use the telnet command and verify that your changes make the service behave as expected.

How to Add a PAM Module

This procedure shows how to add a new PAM module. New modules can be created to cover site-specific security policies or to support third party applications.

Become superuser or assume an equivalent role.

Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map).

Determine which control flags and which other options should be used.

Refer to How PAM Stacking Works for information on the control flags.

Ensure that the ownership and permissions are set so that the module file is owned by root and the permissions are 555.

Edit the PAM configuration file, /etc/pam.conf, and add this module to the appropriate services.

Verify that the module has been added properly.

You must test before the system is rebooted in case the configuration file is misconfigured. Login using a direct service, such as ssh, and run the su command, before you reboot the system. The service might be a daemon that is spawned only once when the system is booted. Then, you must reboot the system before you can verify that the module has been added.

How to Prevent Rhost-Style Access From Remote Systems With PAM

Become superuser or assume an equivalent role.

Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map).

Remove all of the lines that include rhosts_auth.so.1 from the PAM configuration file.

This step prevents the reading of the ~/.rhosts files during an rlogin session. Therefore, this step prevents unauthenticated access to the local system from remote systems. All rlogin access requires a password, regardless of the presence or contents of any ~/.rhosts or /etc/hosts.equiv files.

Disable the rsh service.

To prevent other unauthenticated access to the ~/.rhosts files, remember to disable the rsh service.
# svcadm disable network/shell

How to Log PAM Error Reports

Become superuser or assume an equivalent role.

Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map).

Configure the /etc/syslog.conf file for the level of logging that you need.

See the syslog.conf(4) for more information about the logging levels.

Refresh the configuration information for the syslog daemon.
# svcadm refresh system/system-log