PAM (Tasks)
This section discusses some tasks that might be required to make the PAM
framework use a particular security policy. You should be aware of some security
issues that are associated with the PAM configuration file. For information about the
security issues, see Planning for Your PAM Implementation.
PAM (Task Map)
Planning for Your PAM Implementation
As delivered, the pam.conf configuration file implements the standard Solaris security policy. This
policy should work in many situations. If you need to implement a different
security policy, here are the issues that you should focus on:
Determine what your needs are, especially which PAM service modules you should select.
Identify the services that need special configuration options. Use other if appropriate.
Decide the order in which the modules should be run.
Select the control flag for each module. See How PAM Stacking Works for more information about all of the control flags.
Choose any options that are necessary for each module. The man page for each module should list any special options.
Here are some suggestions to consider before you change the PAM configuration file:
Use other entries for each module type so that every application does not have to be included in /etc/pam.conf.
Make sure to consider the security implications of the binding, sufficient, and optional control flags.
Review the man pages that are associated with the modules. These man pages can help you understand how each module functions, what options are available, and the interactions between stacked modules.
Caution - If the PAM configuration file is misconfigured or the file becomes corrupted, no user might be able to log in. Because the sulogin command does not use PAM, the root password would then be required to boot the machine into single-user mode and fix the problem.
After you change the /etc/pam.conf file, review the file as much as possible while you still have system access to correct problems. Test all the commands that might have been affected by your changes. An example is adding a new module to the telnet service. In this example, you would use the telnet command and verify that your changes make the service behave as expected.
How to Add a PAM Module
This procedure shows how to add a new PAM module. New modules
can be created to cover site-specific security policies or to support third party applications.
- Become superuser or assume an equivalent role.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map).
- Determine which control flags and which other options should be used.
Refer to How PAM Stacking Works for information on the control flags.
- Ensure that the ownership and permissions are set so that the module file
is owned by root and the permissions are 555.
- Edit the PAM configuration file, /etc/pam.conf, and add this module to the
appropriate services.
- Verify that the module has been added properly.
You must test before the system is rebooted in case the configuration file is
misconfigured. Login using a direct service, such as ssh, and run the su
command, before you reboot the system. The service might be a daemon that
is spawned only once when the system is booted. Then, you must reboot
the system before you can verify that the module has been added.
How to Prevent Rhost-Style Access From Remote Systems With PAM
- Become superuser or assume an equivalent role.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map).
- Remove all of the lines that include rhosts_auth.so.1 from the PAM configuration file.
This step prevents the reading of the ~/.rhosts files during an rlogin session. Therefore,
this step prevents unauthenticated access to the local system from remote systems. All
rlogin access requires a password, regardless of the presence or contents of any
~/.rhosts or /etc/hosts.equiv files.
- Disable the rsh service.
To prevent other unauthenticated access to the ~/.rhosts files, remember to disable the rsh
service.
# svcadm disable network/shell
How to Log PAM Error Reports
- Become superuser or assume an equivalent role.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map).
- Configure the /etc/syslog.conf file for the level of logging that you need.
See the syslog.conf(4) for more information about the logging levels.
- Refresh the configuration information for the syslog daemon.
# svcadm refresh system/system-log