Managing Kerberos and Other Authentication Services in Oracle® Solaris 11.2

Exit Print View

Updated: August 2014

Planning a Site-Specific PAM Configuration

    As delivered, the PAM configuration implements a standard security policy that covers system services that require authentication, such as login and ssh. If you need to implement a different security policy for some system services or create a policy for third-party applications, consider the following issues:

  • Determine that the provided configuration files do not satisfy your requirements.

    Test the default configuration. Test the per-user files in the /etc/security/pam_policy directory. Test whether the default service name other handles your requirements. PAM Stacking Example steps you through the other stack.

  • Identify any service names whose stack needs modification. For an example of modifying a service name's PAM stack, see How to Create a Site-Specific PAM Configuration File.

  • For any third-party application that is coded to use the PAM framework, determine the PAM service names that the application uses.

  • For each service name, determine which PAM modules to use.

    Review the section 5 man pages for the PAM modules. These man pages describe how each module functions, what options are available, and the interactions between stacked modules. For a brief summary of selected modules, see PAM Service Modules. PAM modules are also available from outside sources.

  • Per service name, decide the order in which to run the modules.

  • Select the control flag for each module. For more information about control flags, see PAM Stacking. Note that the control flags can have security implications.

    For a visual representation, see Figure 1–2 and Figure 1–3.

  • Choose the options that are necessary for each module. The man page for each module lists the options that are available for that module.

  • Test the use of the application with the PAM configuration. Test as the root role, other roles, privileged users, and regular users. If some users are not permitted to use the application, test those users.