In the default configuration, the ssh and telnet entry services are covered by the other service name. The PAM configuration file in this procedure changes the requirements for ssh and telnet.
Before You Begin
You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.
Use the pfedit command to create the file. Place the file in a site configuration directory such as /opt. You can also place it in the /etc/security/pam_policy directory.
Include explanatory comments in the file.
# pfedit /opt/local_pam/ssh-telnet-conf # # PAM configuration which uses UNIX authentication for console logins, # (see pam.d/login), and LDAP for SSH keyboard-interactive logins # This stack explicitly denies telnet logins. # sshd-kbdint auth requisite pam_authtok_get.so.1 sshd-kbdint auth binding pam_unix_auth.so.1 server_policy sshd-kbdint auth required pam_unix_cred.so.1 sshd-kbdint auth required pam_ldap.so.1 # telnet auth requisite pam_deny.so.1 telnet account requisite pam_deny.so.1 telnet session requisite pam_deny.so.1 telnet password requisite pam_deny.so.1
Protect the file with root ownership and 444 permissions.
# ls -l /opt/local_pam total 5 -r--r--r-- 1 root 4570 Jun 21 12:08 ssh-telnet-conf
By default, the zfs_pam_key module is not in the /etc/security/pam_policy/unix file. In this example, the administrator creates a version of the unix PAM per-user policy, then uses the new version to create users whose home directories are encrypted.
# cp /etc/security/pam_policy/unix /opt/local_pam/unix-encrypt # pfedit /opt/local_pam/unix-encrypt.conf ... other auth required pam_unix_auth.so.1 other auth required pam_unix_cred.so.1 ## pam_zfs_key auto-creates an encrypted home directory ## other auth required pam_zfs_key.so.1 create
The administrator uses this policy file when adding users. Note that encryption cannot be added to a filesystem. The filesystem must be created with encryption turned on. For more information, see the zfs_encrypt(1M).
The administrator creates a user and assigns a password.
# useradd -K pam_policy=/opt/local_pam/unix-encrypt.conf jill # passwd jill New Password: xxxxxxxx Re-enter new Password: xxxxxxxx passwd: password successfully changed for jill
Then, the administrator creates the encrypted home directory by logging in as the user.
# su - jill Password: xxxxxxxx Creating home directory with encryption=on. Your login password will be used as the wrapping key. Oracle Corporation SunOS 5.11 11.3 October 2014 # logout
For the options to the ZFS service module, see the pam_zfs_key(5) man page.
Finally, the administrator verifies that the new home directory is an encrypted filesystem.
# mount -p | grep ~jill rpool/export/home/jill - /export/home/jill zfs - no rw,devices,setuid,nonbmand,exec,rstchown,xattr,atime # zfs get encryption,keysource rpool/export/home/jill NAME PROPERTY VALUE SOURCE rpool/export/home/jill encryption on local rpool/export/home/jill keysource passphrase,prompt localExample 2 Preventing Users From Seeing Error Messages at Login
In this example, the administrator prevents the display of a login error message by using the nowarn option.
# pfedit /opt/local_pam/unix_ldap.conf ... ## ## turn off login error message` sshd-kbdint auth required pam_unix_cred.so.1 nowarn sshd-kbdint auth required pam_ldap.so.1 nowarn