PAM (Tasks)

This section discusses some tasks that might be required to make the PAM framework use a particular security policy. You should be aware of some security issues that are associated with the PAM configuration files. For information about the security issues, see Planning for Your PAM Implementation.

PAM (Task Map)

Planning for Your PAM Implementation

As delivered, the PAM configuration implements the standard security policy. This policy should work in many situations. If you need to implement a different security policy, here are the issues that you should focus on:

• Determine what your needs are, especially which PAM service modules you should select.

• Identify the services that need special configuration options. Use the service name other to provide defaults for services, if appropriate.

• Decide the order in which the modules should be run.

• Select the control flag for each module. See How PAM Stacking Works for more information about all of the control flags.

• Choose any options that are necessary for each module. The man page for each module should list any special options.

Here are some suggestions to consider before you change the PAM configuration:

• Use service name other entries for each module type so that every application does not have to be included in the PAM configuration.

• Make sure to consider the security implications of the control flags.

• Review the man pages that are associated with the modules. These man pages can help you understand how each module functions, what options are available, and the interactions between stacked modules.

  ---

  Caution - If the PAM configuration is misconfigured or becomes corrupted, no user might be able to log in. Because the sulogin command does not use PAM, the root password would then be required to boot the machine into single-user mode and fix the problem.

  ---

  After you change the PAM configuration, review the changes as much as possible while you still have system access to correct problems. Test all the commands that might have been affected by your changes.

How to Add a PAM Module

This procedure shows how to add a new PAM module. New modules can be created to cover site-specific security policies or to support third party applications.

Before You Begin

You must assume the root role. For more information, see How to Use Your Assigned Administrative Rights.

1. Determine which control flags and which options should be used.

   Refer to How PAM Stacking Works for information on the control flags.

2. Ensure that the ownership and permissions are set so that the module file is owned by root and the permissions are 555.
3. Use pfedit to edit an appropriate PAM configuration file and add this module to the appropriate services.

   Changes can be made to either /etc/pam.conf or /etc/pam.d/service.

4. Verify that the module has been added properly.

   You must test in case the configuration file is misconfigured. Login using a direct service, such as ssh, and run the su command.

How to Prevent Rhost-Style Access From Remote Systems With PAM

Before You Begin

You must assume the root role. For more information, see How to Use Your Assigned Administrative Rights.

1. Remove all of the lines that include rhosts_auth.so.1 from the PAM configuration files.

   This step prevents the reading of the ~/.rhosts files during an rlogin session. Therefore, this step prevents unauthenticated access to the local system from remote systems. All rlogin access requires a password, regardless of the presence or contents of any ~/.rhosts or /etc/hosts.equiv files.

2. Disable the rsh service.

   To prevent unauthenticated access to the system, remember to disable the rsh service.

   # svcadm disable network/shell:default

3. Disable the rlogin service.

   Disable the rlogin service as well, if necessary.

   # svcadm disable network/login:rlogin

How to Log PAM Error Reports

Before You Begin

You must assume the root role. For more information, see How to Use Your Assigned Administrative Rights.

1. Determine which system-log service instance is online.

   # svcs system-log
   STATE          STIME    FMRI
   disabled       13:11:55 svc:/system/system-log:rsyslog
   online         13:13:27 svc:/system/system-log:default

   ---

   Note - If the rsyslog service instance is online, modify the rsyslog.conf file.

   ---

2. Configure the /etc/syslog.conf file for the level of logging that you need.

   See the syslog.conf(4) man page for more information about the logging levels. Most PAM error reporting is done to the LOG_AUTH facility.

3. Refresh the configuration information for the system-log service.

   # svcadm refresh system-log:default

   ---

   Note - Refresh the system-log:rsyslog service instance if the rsyslog service is online.

   ---

How to Assign a Customized PAM Policy to a User

Before You Begin

You must assume the root role. For more information, see How to Use Your Assigned Administrative Rights.

1. Create a new PAM policy configuration file.

   See the comments in the text below for a description of the effects of the file.

   # cat /etc/opt/pam_policy/custom-config
   #
   # PAM configuration which uses UNIX authentication for console logins,
   # LDAP for SSH keyboard-interactive logins, and denies telnet logins.
   #
   login auth requisite          pam_authtok_get.so.1
   login auth required           pam_dhkeys.so.1
   login auth required           pam_unix_auth.so.1
   login auth required           pam_unix_cred.so.1
   login auth required           pam_dial_auth.so.1
   #
   sshd-kbdint  auth requisite          pam_authtok_get.so.1
   sshd-kbdint  auth binding            pam_unix_auth.so.1 server_policy
   sshd-kbdint  auth required           pam_unix_cred.so.1
   sshd-kbdint  auth required           pam_ldap.so.1
   #
   telnet    auth     requisite    pam_deny.so.1
   telnet    account  requisite    pam_deny.so.1
   telnet    session  requisite    pam_deny.so.1
   telnet    password requisite    pam_deny.so.1

2. Check the file permissions on the new file.

   The file must be owned by root and can not be group or world writable.

   # ls -l /etc/opt/pam_policy
   total 5
   -r--r--r--   1 root         4570 Jun 21 12:08 custom-config

3. Assign the new PAM policy to a user.

   The custom-config file in /etc/opt/pam_policy is assigned to the user named jill.

   # useradd -K pam_policy=/etc/opt/pam_policy/custom-config jill

How to Assign a New Rights Policy to All Users

Before You Begin

You must assume the root role. For more information, see How to Use Your Assigned Administrative Rights.

1. Create a new rights policy.

   In this example, the ldap PAM policy is used.

   # profiles -p "PAM Per-User Policy of LDAP" \
         'set desc="Profile which sets pam_policy=ldap";
          set pam_policy=ldap; exit;'

2. Assign the new rights profile to all users.

   Use pfedit to add the new policy to the PROFS_GRANTED declaration.

   # cat /etc/security/policy.conf
     .
     .
   
   AUTHS_GRANTED=
   PROFS_GRANTED=Basic Solaris User,PAM Per-User Policy of LDAP
   CONSOLE_USER=Console User

Example 14-1 Assigning a Rights Profile to a User

If a profile has been created as in step 1 in the previous procedure, that rights profile can be assigned to a user using the following command:

# usermod -P +"PAM Per-User Policy of LDAP" jill