Go to main content

Managing Authentication in Oracle® Solaris 11.4

Exit Print View

Updated: November 2020

How to Add a PAM Module

This procedure shows how to add, protect, and test a new PAM module. New modules might be required for site-specific security policies or to support third-party applications. To create a PAM module, see Chapter 3, Writing PAM Applications and Services in Developer’s Guide to Oracle Solaris 11.4 Security.

Note - You must install a 32-bit version and a 64-bit version of the PAM service module.

Before You Begin

Complete Planning a Site-Specific PAM Configuration.

You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.

  1. Install then protect both versions of the PAM service module on disk.

    Ensure that the ownership and permissions protect the module files with root ownership and 444 permissions.

    # cd /opt/pam_modules
    # ls -lR
    total 4
    -r--r--r--   1 root     root        4570 Nov 27 12:34 pam_app1.so.1
    drwxrwxrwx   2 root     root           3 Nov 27 12:38 sparcv9
    total 1
    -r--r--r--   1 root     root        4862 Nov 27 12:38 pam_app1.so.1

    The 32-bit module is in the /opt/pam_modules directory and the 64-bit module is in the 64 subdirectory.

  2. Add the module to the appropriate PAM configuration file.

    In the following example, the module is for a new application, app1. Its service name is the same as the application name. Create an app1 service-name file in the /etc/pam.d directory. The first entry in the file enables the app1 service to be assigned to individual users.

    # cd /etc/pam.d
    # pfedit app1
    # PAM configuration
    # app1 service
    auth definitive         pam_user_policy.so.1
    auth required           /opt/pam_modules/$ISA/pam.app1.so.1  debug

    The $ISA token in the module path directs the PAM framework to the appropriate 32-bit or 64-bit architecture version of the service module for the calling application. For 32-bit applications, /a/b/$ISA/module.so becomes /a/b/module.so. and for 64-bit applications it becomes /a/b/64/module.so. In this example, you installed the 32-bit pam.app1.so.1 service module in the /opt/pam_modules directory and the 64-bit module in the /opt/pam_modules/64 directory.

    For more information, see the pfedit(8) and pam.conf(5) man pages.

    To limit the app1 PAM policy to selected users, see Example 2, Adding a New Module to a Per-User PAM Policy File.

  3. Test your new service.

    Log in directly by using login or ssh. Then, run the commands that are affected by the new module. Test users who are allowed and who are denied use of the affected commands. For troubleshooting assistance, see How to Troubleshoot PAM Configuration Errors.

  4. Assign the policy.

    See How to Assign a Modified PAM Policy.

Example 2  Adding a New Module to a Per-User PAM Policy File

In this example, the app1 service is not used by all users, so the administrator adds the service as a per-user policy.

# cd /etc/pam.d
# cp app1 /opt/local_pam/app1-conf
# pfedit /opt/local_pam/app1-conf

## app1 service
app1 auth definitive         pam_user_policy.so.1
app1 auth required           /opt/pam_modules/$ISA/pam_app1.so.1  debug

The administrator deletes the app1 file from the pam.d directory.

# rm /etc/pam.d/app1

Then, the administrator adds the app1-conf policy to the system administrator's PAM policy.

# rolemod -K pam_policy=/opt/local_pam/app1-conf sysadmin
Example 3  Setting Per-User PAM Policy by Using a Rights Profile

This example uses the pam_policy security attribute to enable users from different naming services to be authenticated. The any PAM policy file is provided in the /etc/security/pam_policy directory. The comments in the file describe this policy.

Do not modify files in this directory.

# profiles -p "PAM Per-User Policy of Any" \
'set desc="Profile which sets pam_policy=any";
 set pam_policy=any; exit;'

To assign this rights profile, see How to Assign a Modified PAM Policy.