Managing Kerberos and Other Authentication Services in Oracle® Solaris 11.2

Exit Print View

Updated: August 2014

How to Create a Site-Specific PAM Configuration File

In the default configuration, the ssh and telnet entry services are covered by the other service name. The PAM configuration file in this procedure changes the requirements for ssh and telnet.

Before You Begin

You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.2 .

  1. Create a new PAM policy configuration file.

    Use the pfedit command to create the file. Place the file in a site configuration directory such as /opt. You can also place it in the /etc/security/pam_policy directory.

    Note -  Do not modify existing files in the /etc/security/pam_policy directory.

    Include explanatory comments in the file.

    # pfedit /opt/local_pam/ssh-telnet-conf
    # PAM configuration which uses UNIX authentication for console logins,
    # (see pam.d/login), and LDAP for SSH keyboard-interactive logins
    # This stack explicitly denies telnet logins.
    sshd-kbdint  auth requisite
    sshd-kbdint  auth binding   server_policy
    sshd-kbdint  auth required 
    sshd-kbdint  auth required 
    telnet	auth     requisite
    telnet	account  requisite
    telnet	session  requisite
    telnet	password requisite
  2. Protect the file.

    Protect the file with root ownership and 444 permissions.

    # ls -l /opt/local_pam
    total 5
    -r--r--r--   1 root         4570 Jun 21 12:08 ssh-telnet-conf
  3. Assign the policy.

    See How to Assign a Modified PAM Policy.

Example 1-1  Using a Modified PAM Stack to Create an Encrypted Home Directory

By default, the zfs_pam_key module is not in the /etc/security/pam_policy/unix file. In this example, the administrator creates a version of the unix PAM per-user policy, then uses the new version to create users whose home directories are encrypted.

# cp /etc/security/pam_policy/unix /opt/local_pam/unix-encrypt
# pfedit /opt/local_pam/unix-encrypt.conf
other   auth required 
other   auth required 
## pam_zfs_key auto-creates an encrypted home directory
other auth required  create

The administrator uses this policy file when adding users. Note that encryption cannot be added to a filesystem. The filesystem must be created with encryption turned on. For more information, see the zfs_encrypt(1M).

The administrator creates a user and assigns a password.

# useradd -K pam_policy=/opt/local_pam/unix-encrypt.conf jill
# passwd jill
New Password: xxxxxxxx
Re-enter new Password: xxxxxxxx
passwd: password successfully changed for jill

Then, the administrator creates the encrypted home directory by logging in as the user.

# su - jill
Password: xxxxxxxx
Creating home directory with encryption=on.
Your login password will be used as the wrapping key.
Oracle Corporation      SunOS 5.11      11.2    July 2014

# logout

For the options to the ZFS service module, see the pam_zfs_key(5) man page.

Finally, the administrator verifies that the new home directory is an encrypted filesystem.

# mount -p | grep ~jill
rpool/export/home/jill - /export/home/jill zfs - no
# zfs get encryption,keysource rpool/export/home/jill
NAME                   PROPERTY    VALUE              SOURCE
rpool/export/home/jill  encryption  on                 local
rpool/export/home/jill  keysource   passphrase,prompt  local