Go to main content

Managing Authentication in Oracle® Solaris 11.4

Exit Print View

Updated: May 2019
 
 

How to Assign a Modified PAM Policy

In this procedure, you configure a non-default PAM policy on all systems. After all files are copied, you can assign the new or modified PAM policy to individual users or to all users.

Before You Begin

You have modified and tested the PAM configuration files that implement the new policy.

You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.

  1. Add the non-default PAM files to all systems.

    You must add all new PAM modules and new and modified PAM configuration files to all systems.

    1. First, add any new PAM modules to every system.
      1. Add the 32-bit PAM module to the architecture-appropriate directory.
      2. Add the 64-bit PAM module to the architecture-appropriate directory.

      For an example of directory setup, see Step 1 in How to Add a PAM Module.

    2. Next, add any new PAM configuration files to every system.

      For example, add the /opt/local_pam/ssh-telnet-conf file to every system.

    3. Then, copy any modified PAM configuration files to every system.

      For example, copy a modified /etc/pam.conf file and any modified /etc/pam.d/service-name-files to every system.

  2. Assign a non-default PAM policy to all users.

    Note -  If you are using the account-policy SMF stencil and the config/etc_default_login property is enabled, the following substeps will not work. Rather, you must change the corresponding SMF properties on every system that will use this non-default PAM policy. For examples, see the procedures in Modifying Rights System-Wide As SMF Properties in Securing Users and Processes in Oracle Solaris 11.4. See also the account-policy(8S) man page.
    1. Modify the policy.conf file in one of the following ways:
      • Add a PAM configuration file to the PAM_POLICY keyword in the policy.conf file.
        # pfedit /etc/security/policy.conf
        ...
        # PAM_POLICY=
        PAM_POLICY=/opt/local_pam/ssh-telnet-conf
        ...
      • Add a rights profile to the PROFS_GRANTED keyword in the policy.conf file.

        For example, assign the PAM Per-User Policy of Any rights profile from Example 3, Setting Per-User PAM Policy by Using a Rights Profile.

        # pfedit /etc/security/policy.conf
        ...
        AUTHS_GRANTED=
        # PROFS_GRANTED=Basic Solaris User
        PROFS_GRANTED=PAM Per-User Policy of Any,Basic Solaris User
        ...
    2. Copy the modified policy.conf file to every system.
  3. Assign a non-default PAM policy to individual users.

    You can either assign the policy directly to a user or assign a rights profile that contains the policy to a user.

    • Assign the PAM policy directly to individual users.
      # usermod -K pam_policy="/opt/local_pam/ssh-telnet-conf" jill
    • Include the PAM policy in a rights profile and assign the profile to individual users.

      This example uses the ldap PAM policy.

      # profiles -p "PAM Per-User Policy of LDAP" \
      'set desc="Profile which sets pam_policy=ldap";
      set pam_policy=ldap; exit;'

      Then assign the rights profile to a user.

      # usermod -P +"PAM Per-User Policy of LDAP" jill
Example 4  Limiting the rlogin PAM Stack to Selected Users

The administrator wants to allow a limited number of users the ability to use rlogin. Before enabling the rlogin service, the administrator creates a per-user rlogin-conf file in the pam_policy directory, and denies the use of rlogin to other users by modifying the rlogin file in the pam.d directory.

First, the administrator configures a per-user rlogin-conf file in the pam_policy directory.

# cp /etc/pam.d/rlogin /etc/security/pam_policy/rlogin-conf
# pfedit /etc/security/pam_policy/rlogin-conf
...
# Limited rlogin service
#
rlogin  auth definitive         pam_user_policy.so.1
rlogin  auth sufficient         pam_rhosts_auth.so.1
rlogin  auth requisite          pam_authtok_get.so.1
rlogin  auth required           pam_dhkeys.so.1
rlogin  auth required           pam_unix_auth.so.1
rlogin  auth required           pam_unix_cred.so.1

The administrator protects the file with 444 permissions.

# chmod 444 /etc/security/pam_policy/rlogin-conf
# ls -l /etc/security/pam_policy/rlogin-conf
-r--r--r--   1 root     root         228 Nov 27 15:04 rlogin-conf

    Then, the administrator modifies the rlogin file in the pam.d directory.

  • The first entry enables per-user assignment.

  • The second entry denies the use of rlogin unless you are assigned pam_policy=rlogin-conf by the administrator.

# cp /etc/pam.d/rlogin /etc/pam.d/rlogin.orig
                # pfedit /etc/pam.d/rlogin
...
# Limited rlogin service
#
# Denied rlogin service (explicit because of pam_rhost_auth)
#
auth definitive         pam_user_policy.so.1
auth required           pam_deny.so.1
# auth sufficient         pam_rhosts_auth.so.1
# auth requisite          pam_authtok_get.so.1
# auth required           pam_dhkeys.so.1 
# auth required           pam_unix_auth.so.1
# auth required           pam_unix_cred.so.1

The administrator tests the configuration with a privileged user, a regular user, and the root role. When the configuration passes, the administrator enables the rlogin service and assigns the per-user policy to the system administrators.

# svcadm enable rlogin
# rolemod -S ldap -K pam_policy=rlogin-conf sysadmin

The administrator copies the modified files to those servers that are used by administrators, and enables rlogin on those servers.