'Per-user PAM configuration -- current status and future plans'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       opensolaris-security-discuss
Subject:    Per-user PAM configuration -- current status and future plans
From:       Nicolas Williams <Nicolas.Williams () sun ! com>
Date:       2008-09-28 5:51:12
Message-ID: 20080928055112.GC1157 () Sun ! COM
[Download RAW message or body]

Briefly: per-user PAM configuration introduces:

 - pam_eval(3PAM) -- a function to re-enter the PAM framework to
   evaluate a PAM configuration in a named file.

 - pam_user_policy(5) -- a module to determine the PAM configuration to
   be used for the PAM_USER and then pam_eval() it.  This is done by
   looking in the user's user_attr(4) entry, or in the user's profiles
   (including the profiles granted in policy.conf(4)) for an attribute
   named 'pam_policy' whose value names the configuration to use.

 - Various PAM configurations in /usr/lib/security/pam_*, similar to the
   existing pam_krb5_{first, only, optional} files.

PSARC/2005/275 is now both, an open case and no longer blocked by a
requirement that we modify SMC.

http://www.opensolaris.org/os/community/arc/caselog/2005/275/
http://www.opensolaris.org/os/community/arc/caselog/2005/275/commitment-materials/

I've revived an old workspace with pam_user_policy bits and updated
those bits.

It's almost ready for a code review.  I need to do some thorough testing
first, looking for corner cases of pam_eval() vs. include interactions,
for example (pam_eval() calls run_stack() to re-enter processing, and
handling of pam_eval()/include nesting shares common code).

In the process of reviving these bits I've realized that we'll probably
want to follow up this project with the following enhancements:

 - Change the "All" RBAC profile to set pam_policy=pam_unix_only.
 - Change root's user_attr(4) entry to set pam_policy=pam_unix_only.
 - Change the user_attr(4) entry(ies) created (e.g., by the OpenSolaris
   installer) for local users to set pam_policy=pam_unix_only.

 - Change kclient(1M) so when given the -s option all it does is modify
   the pam_policy attribute of the "All" RBAC profile to use the given
   PAM configuration.  If ldapclient(1M) mucks with /etc/pam.conf then
   we'll want to modify it in a similar way.

 - Since pam_tsol_account(5) returns PAM_IGNORE when the system is not
   labelled we might as well just put it into all the stock per-user PAM
   configuration choices.

 - /etc/pam.conf should be *very* simple on *new* installs, and we
   should simplify upgrade handling of pam.conf.

   Specifically /etc/pam.conf should mostly just invoke
   pam_user_policy.so.1 and on upgrade we should save the old pam.conf
   in /usr/lib/security/pam_customX and set the pam_policy attribute of
   the "All" RBAC profile to that.

   And we should encourage users to create new configurations as
   /usr/lib/security/pam_custom_*, and wherever possible to use the
   pam.conf include directive to include pre-existing configurations.

   So /etc/pam.conf should look something like:

login	auth required		pam_user_policy.so.1
login	auth required		pam_dial_auth.so.1
rlogin	auth sufficient		pam_rhosts_auth.so.1
rlogin	auth required		pam_user_policy.so.1
krlogin	auth required		pam_unix_cred.so.1
krlogin	auth required		pam_krb5.so.1
rsh	auth sufficient		pam_rhosts_auth.so.1
rsh	auth required		pam_unix_cred.so.1
krsh	auth required		pam_unix_cred.so.1
krsh	auth required		pam_krb5.so.1
ktelnet	auth required		pam_unix_cred.so.1
ktelnet	auth required		pam_krb5.so.1
ppp	auth required		pam_user_policy.so.1
ppp	auth required		pam_dial_auth.so.1
passwd	auth required		pam_user_policy.so.1
cron	account required	pam_unix_account.so.1
other	auth required		pam_user_policy.so.1
other	account required	pam_user_policy.so.1
other	session required	pam_user_policy.so.1
other	password required	pam_user_policy.so.1

   That is, most of /etc/pam.conf should move out into

      /usr/lib/security/pam_unix_only
      /usr/lib/security/pam_unix_or_ldap
      /usr/lib/security/pam_ldap_only
      /usr/lib/security/pam_krb5_first
      /usr/lib/security/pam_krb5_only
      /usr/lib/security/pam_krb5_optional

   and what remains should be those things that aren't common
   (specifically: references to pam_dial_auth.so.1 in the login and ppp
   services, and the cron, rlogin, rsh and k* services).

Nico
-- 
_______________________________________________
security-discuss mailing list
security-discuss@opensolaris.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic