JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
System Administration Guide: Security Services
search filter icon
search icon

Document Information

Preface

Part I Security Overview

1.  Security Services (Overview)

Part II System, File, and Device Security

2.  Managing Machine Security (Overview)

3.  Controlling Access to Systems (Tasks)

4.  Controlling Access to Devices (Tasks)

5.  Using the Basic Audit Reporting Tool (Tasks)

6.  Controlling Access to Files (Tasks)

7.  Using the Automated Security Enhancement Tool (Tasks)

Part III Roles, Rights Profiles, and Privileges

8.  Using Roles and Privileges (Overview)

9.  Using Role-Based Access Control (Tasks)

10.  Role-Based Access Control (Reference)

11.  Privileges (Tasks)

12.  Privileges (Reference)

Part IV Oracle Solaris Cryptographic Services

13.  Oracle Solaris Cryptographic Framework (Overview)

14.  Oracle Solaris Cryptographic Framework (Tasks)

15.  Oracle Solaris Key Management Framework

Part V Authentication Services and Secure Communication

16.  Using Authentication Services (Tasks)

17.  Using PAM

PAM (Overview)

Benefits of Using PAM

Introduction to the PAM Framework

Changes to PAM for the Solaris 10 Release

PAM (Tasks)

PAM (Task Map)

Planning for Your PAM Implementation

How to Add a PAM Module

How to Prevent Rhost-Style Access From Remote Systems With PAM

How to Log PAM Error Reports

PAM Configuration (Reference)

PAM Configuration File Syntax

How PAM Stacking Works

PAM Stacking Example

18.  Using SASL

19.  Using Solaris Secure Shell (Tasks)

20.  Solaris Secure Shell (Reference)

Part VI Kerberos Service

21.  Introduction to the Kerberos Service

22.  Planning for the Kerberos Service

23.  Configuring the Kerberos Service (Tasks)

24.  Kerberos Error Messages and Troubleshooting

25.  Administering Kerberos Principals and Policies (Tasks)

26.  Using Kerberos Applications (Tasks)

27.  The Kerberos Service (Reference)

Part VII Oracle Solaris Auditing

28.  Oracle Solaris Auditing (Overview)

29.  Planning for Oracle Solaris Auditing

30.  Managing Solaris Auditing (Tasks)

31.  Solaris Auditing (Reference)

Glossary

Index

PAM (Tasks)

This section discusses some tasks that might be required to make the PAM framework use a particular security policy. You should be aware of some security issues that are associated with the PAM configuration file. For information about the security issues, see Planning for Your PAM Implementation.

PAM (Task Map)

Task
Description
For Instructions
Plan for your PAM installation.
Consider configuration issues and make decisions about them before you start the software configuration process.
Add new PAM modules.
Sometimes, site-specific modules must be written and installed to cover requirements that are not part of the generic software. This procedure explains how to install these new PAM modules.
Block access through ~/.rhosts.
Further increase security by preventing access through ~/.rhosts.
Initiate error logging.
Start the logging of PAM error messages through syslog.

Planning for Your PAM Implementation

As delivered, the pam.conf configuration file implements the standard security policy. This policy should work in many situations. If you need to implement a different security policy, here are the issues that you should focus on:

Here are some suggestions to consider before you change the PAM configuration file:

How to Add a PAM Module

This procedure shows how to add a new PAM module. New modules can be created to cover site-specific security policies or to support third party applications.

  1. Become superuser or assume an equivalent role.

    Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map).

  2. Determine which control flags and which other options should be used.

    Refer to How PAM Stacking Works for information on the control flags.

  3. Ensure that the ownership and permissions are set so that the module file is owned by root and the permissions are 555.
  4. Edit the PAM configuration file, /etc/pam.conf, and add this module to the appropriate services.
  5. Verify that the module has been added properly.

    You must test before the system is rebooted in case the configuration file is misconfigured. Login using a direct service, such as ssh, and run the su command, before you reboot the system. The service might be a daemon that is spawned only once when the system is booted. Then, you must reboot the system before you can verify that the module has been added.

How to Prevent Rhost-Style Access From Remote Systems With PAM

  1. Become superuser or assume an equivalent role.

    Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map).

  2. Remove all of the lines that include rhosts_auth.so.1 from the PAM configuration file.

    This step prevents the reading of the ~/.rhosts files during an rlogin session. Therefore, this step prevents unauthenticated access to the local system from remote systems. All rlogin access requires a password, regardless of the presence or contents of any ~/.rhosts or /etc/hosts.equiv files.

  3. Disable the rsh service.

    To prevent other unauthenticated access to the ~/.rhosts files, remember to disable the rsh service.

    # svcadm disable network/shell

How to Log PAM Error Reports

  1. Become superuser or assume an equivalent role.

    Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map).

  2. Configure the /etc/syslog.conf file for the level of logging that you need.

    See the syslog.conf(4) for more information about the logging levels.

  3. Refresh the configuration information for the syslog daemon.
    # svcadm refresh system/system-log