Changes to PAM for the Solaris 10 OS

A new pam_deny module was added in the Software Express pilot program and enhanced in the Solaris Express 6/04 release. This feature is included in the Solaris 10 3/05 release. The module can be used to deny access to named PAM services. By default, the pam_deny module is not used. For more information, see the pam_deny(5) man page.

The Solaris 10 software includes the following changes to the PAM framework.

• The pam_authtok_check module now allows for strict password checking that uses new tunables in the /etc/default/passwd file. The new tunables define the following:

  • A list of comma-separated dictionary files that are used for checking common dictionary words in a password

  • The minimum differences that are required between a new password and an old password

  • The minimum number of alphabetic and nonalphabetic characters that must be used in a new password

  • The minimum number of uppercase and lowercase letters that must be used in a new password

  • The number of allowable consecutive repeating characters

  • The number of digits that must be used in the new password

  • Whether whitespaces are allowed in the new password

• The pam_unix_auth module implements account locking for local users. Account locking is enabled by the LOCK_AFTER_RETRIES tunable in /etc/security/policy.conf and the lock_after-retries key in /etc/user_attr.

• A new binding control flag has been defined. If the PAM module is successful and no preceding modules that are flagged as required have failed, then PAM skips the remaining modules and the authentication request succeeds. However, if a failure is returned, PAM records a required failure and then continues processing the stack. This control flag is documented in the pam.conf(4) man page.

• The pam_unix module has been removed and replaced by a set of service modules of equivalent or greater functionality. Many of these modules are new in the Solaris 9 system. Here is a list of the replacement modules:

  • pam_authtok_check

  • pam_authtok_get

  • pam_authtok_store

  • pam_dhkeys

  • pam_passwd_auth

  • pam_unix_account

  • pam_unix_auth

  • pam_unix_cred

  • pam_unix_session

• The functionality of the pam_unix_auth module has been split into two modules. The pam_unix_auth module now verifies that the password is correct for the user. The new pam_unix_cred module provides functions that establish user credential information.

• Additions to the pam_krb5 module have been made to manage the Kerberos credentials cache by using the PAM framework. See Kerberos Enhancements.