Managing Kerberos and Other Authentication Services in Oracle® Solaris 11.2

Exit Print View

Updated: August 2014
 
 

How to Assign a Modified PAM Policy

In this procedure, you configure a non-default PAM policy on all system images. After all files are copied, you can assign the new or modified PAM policy to individual users or to all users.

Before You Begin

You have modified and tested the PAM configuration files that implement the new policy.

You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.2 .

  1. Add the non-default PAM files to all system images.

    You must add all new PAM modules and new and modified PAM configuration files to all system images.

    1. First, add any new PAM modules to every system image.
      1. Add the 32-bit PAM module to the architecture-appropriate directory.
      2. Add the 64-bit PAM module to the architecture-appropriate directory.

      For an example of directory setup, see Step 1 in How to Add a PAM Module.

    2. Next, add any new PAM configuration files to every system image.

      For example, add the /opt/local_pam/ssh-telnet-conf file to every system image.

    3. Then, copy any modified PAM configuration files to every system image.

      For example, copy a modified /etc/pam.conf file and any modified /etc/pam.d/service-name-files to every system image.

  2. Assign a non-default PAM policy to all users.
    1. Modify the policy.conf file in one of the following ways:
      • Add a PAM configuration file to the PAM_POLICY keyword in the policy.conf file.
        # pfedit /etc/security/policy.conf
        ...
        # PAM_POLICY=
        PAM_POLICY=/opt/local_pam/ssh-telnet-conf
        ...
      • Add a rights profile to the PROFS_GRANTED keyword in the policy.conf file.

        For example, assign the PAM Per-User Policy of Any rights profile from Example 1–3.

        # pfedit /etc/security/policy.conf
        ...
        AUTHS_GRANTED=
        # PROFS_GRANTED=Basic Solaris User
        PROFS_GRANTED=PAM Per-User Policy of Any,Basic Solaris User
        ...
    2. Copy the modified policy.conf file to every system image.
  3. To assign a non-default PAM policy to individual users, you can assign the policy directly to a user or add the policy to a rights profile that is assigned to users.
    • Assign the PAM policy directly to individual users.
      # usermod -K pam_policy="/opt/local_pam/ssh-telnet-conf" jill
    • Include the PAM policy in a rights profile and assign the profile to individual users.

      This example uses the ldap PAM policy.

      # profiles -p "PAM Per-User Policy of LDAP" \
      'set desc="Profile which sets pam_policy=ldap";
      set pam_policy=ldap; exit;'

      Then assign the rights profile to a user.

      # usermod -P +"PAM Per-User Policy of LDAP" jill
Example 1-4  Limiting the ktelnet PAM Stack to Selected Users

The administrator wants to allow a limited number of users the ability to use telnet in a Kerberos realm. So, before the telnet service is enabled, the administrator changes the default ktelnet configuration file, and places the default ktelnet file in the pam_policy directory.

First, the administrator configures a per-user ktelnet file.

# cp /etc/pam.d/ktelnet /etc/security/pam_policy/ktelnet-conf
# pfedit /etc/security/pam_policy/ktelnet-conf
...
# Kerberized telnet service
#
ktelnet  auth required           pam_unix_cred.so.1
ktelnet  auth required           pam_krb5.so.1

The administrator protects the file with 444 permissions.

# chmod 444 /etc/security/pam_policy/ktelnet-conf
# ls -l /etc/security/pam_policy/ktelnet-conf
-r--r--r--   1 root     root         228 Nov 27 15:04 ktelnet-conf

    Then, the administrator modifies the ktelnet file in the pam.d directory.

  • The first entry enables per-user assignment.

  • The second entry denies the use of ktelnet unless you are assigned pam_policy=ktelnet by the administrator.

# cp /etc/pam.d/ktelnet /etc/pam.d/ktelnet.orig
                # pfedit /etc/pam.d/ktelnet
...
# Denied Kerberized telnet service
#
auth definitive         pam_user_policy.so.1
auth required           pam_deny.so.1

The administrator tests the configuration with a privileged user, a regular user, and the root role. When the configuration passes, the administrator enables the telnet service and assigns the per-user policy to the Kerberos administrators.

# svcadm enable telnet
# rolemod -S ldap -K pam_policy=ktelnet-conf kerbadmin

The administrator copies the modified files to all Kerberos servers, and enables telnet on those servers.