pam_tsol(5)

NAME | SYNOPSIS | DESCRIPTION | Authentication Module Management | Account Management Module | Password Management Module | ATTRIBUTES | SEE ALSO | NOTES

NAME

pam_tsol- Authentication, account, and password management PAM modules for Trusted Solaris

SYNOPSIS

/usr/lib/security/pam_tsol.so.1 

DESCRIPTION

The Trusted Solaris service module for PAM, /usr/lib/security/pam_tsol.so.1, provides functionality for three PAM modules: authentication, account management, and password management. The pam_tsol.so.1 module is a shared object that can be dynamically loaded to provide the necessary functionality upon demand. Its path is specified in the PAM configuration file.

Authentication Module Management

The Trusted Solaris authentication management component provides a function to verify the identity of a user, (pam_sm_authenticate()). This provides an additional check for role authentication. It prevents direct role logins and indirect role logins from nontrusted clients.

The following options may be passed to pam_sm_authenticate():

secondary_login

Indicates that the service is a secondary login.

trustedpath

Passes the information that the trusted path is set in the remote client process.

Account Management Module

The Trusted Solaris account management component provides a function to perform account management, pam_sm_acct_mgmt(). The function checks whether the users account is locked, and if it is locked, pam_sm_acct_mgmt() denies access. It also checks whether the account is disabled and if so, checks whether the user is authorized to enable logins. If the user is authorized, it converses with the user and allows or disallows the user to log in, and enables or does not enable the account. It checks for the allowed label range for the user, and also checks whether the user is authorized for remote logins.

The following options may be passed to pam_sm_acct_mgmt():

label_check_on

Enforce label range check for PAM_USER.

auth_check_on

Enforce authorization checks for PAM_USER.

enable_check_off

Do not check whether logins are enabled.

Password Management Module

The Trusted Solaris password management component provides a function, pam_sm_chauth_tok(), to change passwords, in the UNIX password database.

The following options may be passed to pam_sm_chauth_tok():

enable_randomword

Use the randomword generator in the system to generate password lists. A pluggable randomword function library could be installed in /usr/lib/security/pam_rw.so.

ATTRIBUTES

See attributes(5) for description of the following attributes:

ATTRIBUTE TYPE	ATTRIBUTE VALUE
MT Level	MT-Safe with exceptions

SEE ALSO

Trusted Solaris 8 4/01 Reference Manual

pam_tp_auth(5)

SunOS 5.8 Reference Manual

keylogin(1), pam(3PAM), pam_authenticate(3PAM), pam_setcred(3PAM), libpam(4), pam.conf(4), attributes(5)

NOTES

The interfaces in libpam() are MT-Safe only if each thread within the multi-threaded application uses its own PAM handle.

NAME | SYNOPSIS | DESCRIPTION | Authentication Module Management | Account Management Module | Password Management Module | ATTRIBUTES | SEE ALSO | NOTES