[prev in list] [next in list] [prev in thread] [next in thread]
List: opensolaris-security-discuss
Subject: Per-user PAM configuration -- current status and future plans
From: Nicolas Williams <Nicolas.Williams () sun ! com>
Date: 2008-09-28 5:51:12
Message-ID: 20080928055112.GC1157 () Sun ! COM
[Download RAW message or body]
Briefly: per-user PAM configuration introduces:
- pam_eval(3PAM) -- a function to re-enter the PAM framework to
evaluate a PAM configuration in a named file.
- pam_user_policy(5) -- a module to determine the PAM configuration to
be used for the PAM_USER and then pam_eval() it. This is done by
looking in the user's user_attr(4) entry, or in the user's profiles
(including the profiles granted in policy.conf(4)) for an attribute
named 'pam_policy' whose value names the configuration to use.
- Various PAM configurations in /usr/lib/security/pam_*, similar to the
existing pam_krb5_{first, only, optional} files.
PSARC/2005/275 is now both, an open case and no longer blocked by a
requirement that we modify SMC.
http://www.opensolaris.org/os/community/arc/caselog/2005/275/
http://www.opensolaris.org/os/community/arc/caselog/2005/275/commitment-materials/
I've revived an old workspace with pam_user_policy bits and updated
those bits.
It's almost ready for a code review. I need to do some thorough testing
first, looking for corner cases of pam_eval() vs. include interactions,
for example (pam_eval() calls run_stack() to re-enter processing, and
handling of pam_eval()/include nesting shares common code).
In the process of reviving these bits I've realized that we'll probably
want to follow up this project with the following enhancements:
- Change the "All" RBAC profile to set pam_policy=pam_unix_only.
- Change root's user_attr(4) entry to set pam_policy=pam_unix_only.
- Change the user_attr(4) entry(ies) created (e.g., by the OpenSolaris
installer) for local users to set pam_policy=pam_unix_only.
- Change kclient(1M) so when given the -s option all it does is modify
the pam_policy attribute of the "All" RBAC profile to use the given
PAM configuration. If ldapclient(1M) mucks with /etc/pam.conf then
we'll want to modify it in a similar way.
- Since pam_tsol_account(5) returns PAM_IGNORE when the system is not
labelled we might as well just put it into all the stock per-user PAM
configuration choices.
- /etc/pam.conf should be *very* simple on *new* installs, and we
should simplify upgrade handling of pam.conf.
Specifically /etc/pam.conf should mostly just invoke
pam_user_policy.so.1 and on upgrade we should save the old pam.conf
in /usr/lib/security/pam_customX and set the pam_policy attribute of
the "All" RBAC profile to that.
And we should encourage users to create new configurations as
/usr/lib/security/pam_custom_*, and wherever possible to use the
pam.conf include directive to include pre-existing configurations.
So /etc/pam.conf should look something like:
login auth required pam_user_policy.so.1
login auth required pam_dial_auth.so.1
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth required pam_user_policy.so.1
krlogin auth required pam_unix_cred.so.1
krlogin auth required pam_krb5.so.1
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_cred.so.1
krsh auth required pam_unix_cred.so.1
krsh auth required pam_krb5.so.1
ktelnet auth required pam_unix_cred.so.1
ktelnet auth required pam_krb5.so.1
ppp auth required pam_user_policy.so.1
ppp auth required pam_dial_auth.so.1
passwd auth required pam_user_policy.so.1
cron account required pam_unix_account.so.1
other auth required pam_user_policy.so.1
other account required pam_user_policy.so.1
other session required pam_user_policy.so.1
other password required pam_user_policy.so.1
That is, most of /etc/pam.conf should move out into
/usr/lib/security/pam_unix_only
/usr/lib/security/pam_unix_or_ldap
/usr/lib/security/pam_ldap_only
/usr/lib/security/pam_krb5_first
/usr/lib/security/pam_krb5_only
/usr/lib/security/pam_krb5_optional
and what remains should be those things that aren't common
(specifically: references to pam_dial_auth.so.1 in the login and ppp
services, and the cron, rlogin, rsh and k* services).
Nico
--
_______________________________________________
security-discuss mailing list
security-discuss@opensolaris.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic