Developer's Guide to Oracle® Solaris 11 Security

Exit Print View

Updated: July 2014

PAM Service Modules

A PAM service module is a shared library that provides authentication and other security services to system entry applications such as login, rlogin, and telnet.

    The four types of PAM services are:

  • Authentication service modules – For granting users access to an account or service. Modules that provide this service authenticate users and set up user credentials.

  • Account management modules – For determining whether the current user's account is valid. Modules that provide this service can check password or account expiration and time-restricted access.

  • Session management modules – For setting up and terminating login sessions.

  • Password management modules – For enforcing password strength rules and performing authentication token updates.

A PAM module can implement one or more of these services. The use of simple modules with well-defined tasks increases configuration flexibility. PAM services should thus be implemented in separate modules. The services can then be used as needed as defined in the PAM configuration. See pam.conf(4).

For example, the Oracle Solaris OS provides the pam_authtok_check(5) module for system administrators to configure the site's password policy. The pam_authtok_check(5) module checks proposed passwords for various strength criteria.

For a complete list of Oracle Solaris PAM modules, see man pages section 5: Standards, Environments, and Macros. The PAM modules have the prefix pam_.

Changes to PAM Modules in This Release

The Oracle Solaris 11.1 release provides a new PAM module pam_user_policy(5) that adds support for per-user PAM configuration. This module calls the pam_eval(3PAM) function to evaluate a named PAM configuration. The pam_eval() routine in the PAM librarylibpam(3LIB), is also new to Oracle Solaris 11.1.