In this procedure, you configure a non-default PAM policy on all systems. After all files are copied, you can assign the new or modified PAM policy to individual users or to all users.
Before You Begin
You have modified and tested the PAM configuration files that implement the new policy.
You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.
You must add all new PAM modules and new and modified PAM configuration files to all systems.
For an example of directory setup, see Step 1 in How to Add a PAM Module.
For example, add the /opt/local_pam/ssh-telnet-conf file to every system.
For example, copy a modified /etc/pam.conf file and any modified /etc/pam.d/service-name-files to every system.
# pfedit /etc/security/policy.conf ... # PAM_POLICY= PAM_POLICY=/opt/local_pam/ssh-telnet-conf ...
For example, assign the PAM Per-User Policy of Any rights profile from Example 3, Setting Per-User PAM Policy by Using a Rights Profile.
# pfedit /etc/security/policy.conf ... AUTHS_GRANTED= # PROFS_GRANTED=Basic Solaris User PROFS_GRANTED=PAM Per-User Policy of Any,Basic Solaris User ...
You can either assign the policy directly to a user or assign a rights profile that contains the policy to a user.
# usermod -K pam_policy="/opt/local_pam/ssh-telnet-conf" jill
This example uses the ldap PAM policy.
# profiles -p "PAM Per-User Policy of LDAP" \ 'set desc="Profile which sets pam_policy=ldap"; set pam_policy=ldap; exit;'
Then assign the rights profile to a user.
# usermod -P +"PAM Per-User Policy of LDAP" jill
The administrator wants to allow a limited number of users the ability to use rlogin. Before enabling the rlogin service, the administrator creates a per-user rlogin-conf file in the pam_policy directory, and denies the use of rlogin to other users by modifying the rlogin file in the pam.d directory.
First, the administrator configures a per-user rlogin-conf file in the pam_policy directory.
# cp /etc/pam.d/rlogin /etc/security/pam_policy/rlogin-conf # pfedit /etc/security/pam_policy/rlogin-conf ... # Limited rlogin service # rlogin auth definitive pam_user_policy.so.1 rlogin auth sufficient pam_rhosts_auth.so.1 rlogin auth requisite pam_authtok_get.so.1 rlogin auth required pam_dhkeys.so.1 rlogin auth required pam_unix_auth.so.1 rlogin auth required pam_unix_cred.so.1
The administrator protects the file with 444 permissions.
# chmod 444 /etc/security/pam_policy/rlogin-conf # ls -l /etc/security/pam_policy/rlogin-conf -r--r--r-- 1 root root 228 Nov 27 15:04 rlogin-conf
Then, the administrator modifies the rlogin file in the pam.d directory.
The first entry enables per-user assignment.
The second entry denies the use of rlogin unless you are assigned pam_policy=rlogin-conf by the administrator.
# cp /etc/pam.d/rlogin /etc/pam.d/rlogin.orig # pfedit /etc/pam.d/rlogin ... # Limited rlogin service # # Denied rlogin service (explicit because of pam_rhost_auth) # auth definitive pam_user_policy.so.1 auth required pam_deny.so.1 # auth sufficient pam_rhosts_auth.so.1 # auth requisite pam_authtok_get.so.1 # auth required pam_dhkeys.so.1 # auth required pam_unix_auth.so.1 # auth required pam_unix_cred.so.1
The administrator tests the configuration with a privileged user, a regular user, and the root role. When the configuration passes, the administrator enables the rlogin service and assigns the per-user policy to the system administrators.
# svcadm enable rlogin # rolemod -S ldap -K pam_policy=rlogin-conf sysadmin
The administrator copies the modified files to those servers that are used by administrators, and enables rlogin on those servers.