Planning for Your PAM Implementation

As delivered, the pam.conf configuration file implements the standard Solaris security policy. This policy should work in many situations. If you need to implement a different security policy, here are the issues that you should focus on:

• Determine what your needs are, especially which PAM service modules you should select.

• Identify the services that need special configuration options. Use other if appropriate.

• Decide the order in which the modules should be run.

• Select the control flag for each module. See How PAM Stacking Works for more information about all of the control flags.

• Choose any options that are necessary for each module. The man page for each module should list any special options.

Here are some suggestions to consider before you change the PAM configuration file:

• Use other entries for each module type so that every application does not have to be included in /etc/pam.conf.

• Make sure to consider the security implications of the binding, sufficient, and optional control flags.

• Review the man pages that are associated with the modules. These man pages can help you understand how each module functions, what options are available, and the interactions between stacked modules.

  ---

  Caution –

  If the PAM configuration file is misconfigured or the file becomes corrupted, no user might be able to log in. Because the sulogin command does not use PAM, the root password would then be required to boot the machine into single-user mode and fix the problem.

  ---

  After you change the /etc/pam.conf file, review the file as much as possible while you still have system access to correct problems. Test all the commands that might have been affected by your changes. An example is adding a new module to the telnet service. In this example, you would use the telnet command and verify that your changes make the service behave as expected.