In this procedure, you configure a non-default PAM policy on all system images. After all files are copied, you can assign the new or modified PAM policy to individual users or to all users.
Before You Begin
You have modified and tested the PAM configuration files that implement the new policy.
You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.
You must add all new PAM modules and new and modified PAM configuration files to all systems.
For an example of directory setup, see Step 1 in How to Add a PAM Module.
For example, add the /opt/local_pam/ssh-telnet-conf file to every system.
For example, copy a modified /etc/pam.conf file and any modified /etc/pam.d/service-name-files to every system.
# pfedit /etc/security/policy.conf ... # PAM_POLICY= PAM_POLICY=/opt/local_pam/ssh-telnet-conf ...
For example, assign the PAM Per-User Policy of Any rights profile from Example 4, Setting Per-User PAM Policy by Using a Rights Profile.
# pfedit /etc/security/policy.conf ... AUTHS_GRANTED= # PROFS_GRANTED=Basic Solaris User PROFS_GRANTED=PAM Per-User Policy of Any,Basic Solaris User ...
# usermod -K pam_policy="/opt/local_pam/ssh-telnet-conf" jill
This example uses the ldap PAM policy.
# profiles -p "PAM Per-User Policy of LDAP" \ 'set desc="Profile which sets pam_policy=ldap"; set pam_policy=ldap; exit;'
Then assign the rights profile to a user.
# usermod -P +"PAM Per-User Policy of LDAP" jill
The administrator wants to allow a limited number of users the ability to use telnet in a Kerberos realm. So, before the telnet service is enabled, the administrator changes the default ktelnet configuration file, and places the default ktelnet file in the pam_policy directory.
First, the administrator configures a per-user ktelnet file.
# cp /etc/pam.d/ktelnet /etc/security/pam_policy/ktelnet-conf # pfedit /etc/security/pam_policy/ktelnet-conf ... # Kerberized telnet service # ktelnet auth required pam_unix_cred.so.1 ktelnet auth required pam_krb5.so.1
The administrator protects the file with 444 permissions.
# chmod 444 /etc/security/pam_policy/ktelnet-conf # ls -l /etc/security/pam_policy/ktelnet-conf -r--r--r-- 1 root root 228 Nov 27 15:04 ktelnet-conf
Then, the administrator modifies the ktelnet file in the pam.d directory.
The first entry enables per-user assignment.
The second entry denies the use of ktelnet unless you are assigned pam_policy=ktelnet by the administrator.
# cp /etc/pam.d/ktelnet /etc/pam.d/ktelnet.orig # pfedit /etc/pam.d/ktelnet ... # Denied Kerberized telnet service # auth definitive pam_user_policy.so.1 auth required pam_deny.so.1
The administrator tests the configuration with a privileged user, a regular user, and the root role. When the configuration passes, the administrator enables the telnet service and assigns the per-user policy to the Kerberos administrators.
# svcadm enable telnet # rolemod -S ldap -K pam_policy=ktelnet-conf kerbadmin
The administrator copies the modified files to all Kerberos servers, and enables telnet on those servers.