OpenSolaris

1. Community: Security
   1. Announcements
   2. News
   3. Blogs
   4. Discussions
   5. Community Projects
      1. Pluggable Authentication Module
      2. Trusted Extensions
         1. History
         2. Trusted Extensions Developer Guide
         3. Installing the Solaris Trusted Extensions Software on a Laptop Computer
         4. Experimental Java Classes for Trusted Extensions Labeling APIs
      3. Secure By Default
         1. Secure by Default Design
      4. Privilege Debugging
      5. RBAC - Role Based Access Control
      6. Auditing
      7. Basic File Privs
      8. Kerberos
      9. Java
      10. SSH
      11. Cryptographic Framework
   6. Library
      1. HOWTO Documents
         1. Privilege Bracketing
      2. Username length
   7. Presentations
   8. Events
   9. Leaders
   10. Observers
   11. Files
   12. Contributor Grants

History

---

PAM as created by Sun and first appeared as a public interface in Solaris 2.6. Previous versions of a very simlar framework were in Solaris 2.4 and Solaris 2.5.1. Until Solaris 9 there was only one module, pam_unix.so, that implemented the default UNIX username/password policy. In Solaris 9 we broke up that module in to a number of smaller parts: pam_unix_auth.so, pam_unix_cred.so, pam_authtok_get.so, pam_authtok_check.so, pam_authtok_store.so, pam_dhkeys.so and pam_passwd_auth.so.

Sample Modules

---

In the files section there are a few sample modules and programs that I (Darren Moffat) have had lying around in my home directory at Sun since I first started playing with PAM before Solaris 2.6 was released.

• pam_xauth_cred.so

I originally called this su_cookie.so, and it was one of my earliest PAM modules. I'm not proud of the way it is coded and it is an ugly hack since it uses the xauth(1) program to do its work. However I've always found it very useful, no more xhost + for me :-) I know that some Linux based distros ship with something like this but I'm pretty confident I was the first to implement it and someone else idependently came up with the idea.

• pam_app_auth

This is a simple demo application that calls the PAM APIs that an application would call. I use it as a very simple test application, not really useful for anything else.

• pam_root_console.so

This is a PAM implementation of the check that /bin/login has hardcoded for root on the system console.

• pam_netgroup.so aka pam_list.so or pam_listfile.so

Basically this is a local file that contains usernames and/or netgroups that should either be allowed or denied access to a given service. The idea for this module came from observing the performance hit that the nsswitch passwd_compat +/- syntax can have on some systems. What most people used that for was invalidating the users shell and/or password so they couldn't login, but still allow the admin to get uid->name translations of the files the users owned on the server. This module has appeared in SunSolve articles in the past. I wrote this version of it in 1999.