Developer's Guide to Oracle® Solaris 11 Security

Exit Print View

Updated: July 2014

Configuring PAM Through /etc/pam.d

Starting with the Oracle Solaris 11.1 release, PAM can be also be configured via the per-service PAM policy files in the /etc/pam.d directory in addition to the pam.conf file.

The /etc/pam.d directory contains files named using the value of PAM_SERVICE. For example, /etc/pam.d/telnet is the file to read for the telnet service. The syntax of the /etc/pam.d files is identical to that of /etc/pam.conf except that the first column in the /etc/pam.conf file which is the service name, is omitted.

Configuring PAM with the /etc/pam.d files has following advantages:

  • A mistake in a per-service PAM policy file only affects that service.

  • Adding new PAM services is simple as it requires only creating a file in /etc/pam.d.

  • Improved interoperability with cross-platform PAM applications since many other PAM implementations such as Linux-PAM and OpenPAM support /etc/pam.d.

  • System administrators can also customize the security policy of their site by overlaying any vendor-supplied /etc/pam.d files.

The order given below is followed when searching for a configuration:

  1. /etc/pam.conf, for a named service entry

  2. /etc/pam.d/servicename

  3. /etc/pam.conf, for any other entry

  4. /etc/pam.d/other

This search order ensures that any customizations made to /etc/pam.conf file is preserved when the system is upgraded via pkg(5) and that the policy is still active.

See Process Rights Management in Securing Users and Processes in Oracle Solaris 11.2 for additional information.