JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Solaris Administration: Security Services     Oracle Solaris 11 Information Library
search filter icon
search icon

Document Information


Part I Security Overview

1.  Security Services (Overview)

Part II System, File, and Device Security

2.  Managing Machine Security (Overview)

3.  Controlling Access to Systems (Tasks)

4.  Virus Scanning Service (Tasks)

5.  Controlling Access to Devices (Tasks)

6.  Using the Basic Audit Reporting Tool (Tasks)

7.  Controlling Access to Files (Tasks)

Part III Roles, Rights Profiles, and Privileges

8.  Using Roles and Privileges (Overview)

9.  Using Role-Based Access Control (Tasks)

10.  Security Attributes in Oracle Solaris (Reference)

Part IV Cryptographic Services

11.  Cryptographic Framework (Overview)

12.  Cryptographic Framework (Tasks)

13.  Key Management Framework

Part V Authentication Services and Secure Communication

14.  Network Services Authentication (Tasks)

15.  Using PAM

PAM (Overview)

Benefits of Using PAM

Introduction to the PAM Framework

Changes to PAM for This Release

PAM (Tasks)

PAM (Task Map)

Planning for Your PAM Implementation

How to Add a PAM Module

How to Prevent Rhost-Style Access From Remote Systems With PAM

How to Log PAM Error Reports

PAM Configuration (Reference)

PAM Configuration File Syntax

How PAM Stacking Works

PAM Stacking Example

16.  Using SASL

17.  Using Secure Shell (Tasks)

18.  Secure Shell (Reference)

Part VI Kerberos Service

19.  Introduction to the Kerberos Service

20.  Planning for the Kerberos Service

21.  Configuring the Kerberos Service (Tasks)

22.  Kerberos Error Messages and Troubleshooting

23.  Administering Kerberos Principals and Policies (Tasks)

24.  Using Kerberos Applications (Tasks)

25.  The Kerberos Service (Reference)

Part VII Auditing in Oracle Solaris

26.  Auditing (Overview)

27.  Planning for Auditing

28.  Managing Auditing (Tasks)

29.  Auditing (Reference)



PAM (Tasks)

This section discusses some tasks that might be required to make the PAM framework use a particular security policy. You should be aware of some security issues that are associated with the PAM configuration file. For information about the security issues, see Planning for Your PAM Implementation.

PAM (Task Map)

For Instructions
Plan for your PAM installation.
Consider configuration issues and make decisions about them before you start the software configuration process.
Add new PAM modules.
Sometimes, site-specific modules must be written and installed to cover requirements that are not part of the generic software. This procedure explains how to install these new PAM modules.
Block access through ~/.rhosts.
Further increase security by preventing access through ~/.rhosts.
Initiate error logging.
Start the logging of PAM error messages through syslog.

Planning for Your PAM Implementation

As delivered, the pam.conf configuration file implements the standard security policy. This policy should work in many situations. If you need to implement a different security policy, here are the issues that you should focus on:

Here are some suggestions to consider before you change the PAM configuration file:

How to Add a PAM Module

This procedure shows how to add a new PAM module. New modules can be created to cover site-specific security policies or to support third party applications.

  1. Become an administrator.

    For more information, see How to Obtain Administrative Rights.

  2. Determine which control flags and which other options should be used.

    Refer to How PAM Stacking Works for information on the control flags.

  3. Ensure that the ownership and permissions are set so that the module file is owned by root and the permissions are 555.
  4. Edit the PAM configuration file, /etc/pam.conf, and add this module to the appropriate services.
  5. Verify that the module has been added properly.

    You must test before the system is rebooted in case the configuration file is misconfigured. Login using a direct service, such as ssh, and run the su command, before you reboot the system. The service might be a daemon that is spawned only once when the system is booted. Then, you must reboot the system before you can verify that the module has been added.

How to Prevent Rhost-Style Access From Remote Systems With PAM

  1. Become an administrator.

    For more information, see How to Obtain Administrative Rights.

  2. Remove all of the lines that include from the PAM configuration file.

    This step prevents the reading of the ~/.rhosts files during an rlogin session. Therefore, this step prevents unauthenticated access to the local system from remote systems. All rlogin access requires a password, regardless of the presence or contents of any ~/.rhosts or /etc/hosts.equiv files.

  3. Disable the rsh service.

    To prevent other unauthenticated access to the ~/.rhosts files, remember to disable the rsh service.

    # svcadm disable network/shell

How to Log PAM Error Reports

  1. Become an administrator.

    For more information, see How to Obtain Administrative Rights.

  2. Configure the /etc/syslog.conf file for the level of logging that you need.

    See the syslog.conf(4) for more information about the logging levels.

  3. Refresh the configuration information for the syslog daemon.
    # svcadm refresh system/system-log