Go to main content

Managing Kerberos and Other Authentication Services in Oracle® Solaris 11.3

Exit Print View

Updated: May 2019
 
 

How to Create a Site-Specific PAM Configuration File

In the default configuration, the ssh and telnet entry services are covered by the other service name. The PAM configuration file in this procedure changes the requirements for ssh and telnet.

Before You Begin

You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.

  1. Create a new PAM policy configuration file.

    Use the pfedit command to create the file. Place the file in a site configuration directory such as /opt. You can also place it in the /etc/security/pam_policy directory.


    Note -  Do not modify existing files in the /etc/security/pam_policy directory.

    Include explanatory comments in the file.

    # pfedit /opt/local_pam/ssh-telnet-conf
    #
    # PAM configuration which uses UNIX authentication for console logins,
    # (see pam.d/login), and LDAP for SSH keyboard-interactive logins
    # This stack explicitly denies telnet logins.
    #
    sshd-kbdint  auth requisite          pam_authtok_get.so.1
    sshd-kbdint  auth binding            pam_unix_auth.so.1 server_policy
    sshd-kbdint  auth required           pam_unix_cred.so.1
    sshd-kbdint  auth required           pam_ldap.so.1
    #
    telnet	auth     requisite    pam_deny.so.1
    telnet	account  requisite    pam_deny.so.1
    telnet	session  requisite    pam_deny.so.1
    telnet	password requisite    pam_deny.so.1
  2. Protect the file.

    Protect the file with root ownership and 444 permissions.

    # ls -l /opt/local_pam
    
    total 5
    -r--r--r--   1 root         4570 Jun 21 12:08 ssh-telnet-conf
  3. Assign the policy.

    See How to Assign a Modified PAM Policy.

Example 1  Using a Modified PAM Stack to Create an Encrypted Home Directory

By default, the zfs_pam_key module is not in the /etc/security/pam_policy/unix file. In this example, the administrator creates a version of the unix PAM per-user policy, then uses the new version to create users whose home directories are encrypted.

# cp /etc/security/pam_policy/unix /opt/local_pam/unix-encrypt
# pfedit /opt/local_pam/unix-encrypt.conf
...
other   auth required           pam_unix_auth.so.1
other   auth required           pam_unix_cred.so.1
## pam_zfs_key auto-creates an encrypted home directory
##
other auth required           pam_zfs_key.so.1 create

The administrator uses this policy file when adding users. Note that encryption cannot be added to a filesystem. The filesystem must be created with encryption turned on. For more information, see the zfs_encrypt(1M).

The administrator creates a user and assigns a password.

# useradd -K pam_policy=/opt/local_pam/unix-encrypt.conf jill
# passwd jill
New Password: xxxxxxxx
Re-enter new Password: xxxxxxxx
passwd: password successfully changed for jill

Then, the administrator creates the encrypted home directory by logging in as the user.

# su - jill
Password: xxxxxxxx
Creating home directory with encryption=on.
Your login password will be used as the wrapping key.
Oracle Corporation      SunOS 5.11      11.3    October 2014

# logout

For the options to the ZFS service module, see the pam_zfs_key(5) man page.

Finally, the administrator verifies that the new home directory is an encrypted filesystem.

# mount -p | grep ~jill
rpool/export/home/jill - /export/home/jill zfs - no
rw,devices,setuid,nonbmand,exec,rstchown,xattr,atime
# zfs get encryption,keysource rpool/export/home/jill
NAME                   PROPERTY    VALUE              SOURCE
rpool/export/home/jill  encryption  on                 local
rpool/export/home/jill  keysource   passphrase,prompt  local
Example 2  Preventing Users From Seeing Error Messages at Login

In this example, the administrator prevents the display of a login error message by using the nowarn option.

# pfedit /opt/local_pam/unix_ldap.conf
...
##
## turn off login error message`
sshd-kbdint  auth required           pam_unix_cred.so.1    nowarn
sshd-kbdint  auth required           pam_ldap.so.1    nowarn