NAME | SYNOPSIS | DESCRIPTION | Authentication Module Management | Account Management Module | Password Management Module | ATTRIBUTES | SEE ALSO | NOTES
/usr/lib/security/pam_tsol.so.1
The Trusted Solaris service module for PAM, /usr/lib/security/pam_tsol.so.1, provides functionality for three PAM modules: authentication, account management, and password management. The pam_tsol.so.1 module is a shared object that can be dynamically loaded to provide the necessary functionality upon demand. Its path is specified in the PAM configuration file.
The Trusted Solaris authentication management component provides a function to verify the identity of a user, (pam_sm_authenticate()). This provides an additional check for role authentication. It prevents direct role logins and indirect role logins from nontrusted clients.
The following options may be passed to pam_sm_authenticate():
Indicates that the service is a secondary login.
Passes the information that the trusted path is set in the remote client process.
The Trusted Solaris account management component provides a function to perform account management, pam_sm_acct_mgmt(). The function checks whether the users account is locked, and if it is locked, pam_sm_acct_mgmt() denies access. It also checks whether the account is disabled and if so, checks whether the user is authorized to enable logins. If the user is authorized, it converses with the user and allows or disallows the user to log in, and enables or does not enable the account. It checks for the allowed label range for the user, and also checks whether the user is authorized for remote logins.
The following options may be passed to pam_sm_acct_mgmt():
Enforce label range check for PAM_USER.
Enforce authorization checks for PAM_USER.
Do not check whether logins are enabled.
The Trusted Solaris password management component provides a function, pam_sm_chauth_tok(), to change passwords, in the UNIX password database.
The following options may be passed to pam_sm_chauth_tok():
Use the randomword generator in the system to generate password lists. A pluggable randomword function library could be installed in /usr/lib/security/pam_rw.so.
See attributes(5) for description of the following attributes:
ATTRIBUTE TYPE | ATTRIBUTE VALUE |
MT Level | MT-Safe with exceptions |
The interfaces in libpam() are MT-Safe only if each thread within the multi-threaded application uses its own PAM handle.
NAME | SYNOPSIS | DESCRIPTION | Authentication Module Management | Account Management Module | Password Management Module | ATTRIBUTES | SEE ALSO | NOTES