Very Computer

I do not have much experience with PAM, but in conversations with
others relating to our Solaris servers (versions 2.6 thru 9), I'm under
the impression that we are not using it.

In a recent audit of some of our files, we were cited with having some
servers "less secure" than others simply by virtue of the entries
within /etc/pam.conf.  They do seem to differ, especially when
comparing the 2.6 servers with more current versions (7 thru 9).

My questions become: "IF we are not using PAM, I would presume that we
do not have a need to access the /etc/pam.conf file.  That being said,
do we even need it (i.e. can it be removed without serious
ramifications)?  How would one go about determining IF it is "actually"
being used?

Thanks.

You are using PAM every single time you logon  to the system !

Script started on Fri 17 Jun 2005 06:29:16 PM CEST
# uname -a
SunOS noname 5.9 Generic_117171-07 sun4u sparc SUNW,Sun-Blade-1500
# pgrep inetd
437
# truss -rall -wall -vall -fao /tmp/trace -p 437 &

   (  running a standard telnet login from a remote system ; then exit
)

1114
# kill 1114
# grep "pam\.conf" /tmp/trace
1119:   stat64("/etc/pam.conf", 0xFFBFFBC0)           = 0
1119:   open("/etc/pam.conf", O_RDONLY)                       = 3
1115:   stat64("/etc/pam.conf", 0xFFBFEF28)           = 0
1115:   open("/etc/pam.conf", O_RDONLY)                       = 10

//Lars

You're probably using it under the covers from almost any
application you use that authenticates. Ssh is the only common
application that, depending on how you've got it configured, *might* not
be using PAM that I can think of offhand, we'll see what others say...

Quote:>In a recent audit of some of our files, we were cited with having some
>servers "less secure" than others simply by virtue of the entries
>within /etc/pam.conf.  They do seem to differ, especially when
>comparing the 2.6 servers with more current versions (7 thru 9).

Sun changed the pam config files on all these version releases,
so they are supposed to be different.

Quote:>My questions become: "IF we are not using PAM, I would presume that we
>do not have a need to access the /etc/pam.conf file.  That being said,
>do we even need it (i.e. can it be removed without serious
>ramifications)?  How would one go about determining IF it is "actually"
>being used?

cp /dev/null /etc/pam.conf, and you'll know pretty soon <g>...
DON'T REALLY DO THAT, or you'll be booting off CDs to recover
and booking flights to SC to find me and beat me up.

ls -lu /etc/pam.conf    is a safer way to convince yourself
that something is looking at /etc/pam.conf on a pretty regular
basis...

man ftpd and man telnetd, for example, outline those daemons uses of pam.

-Mike

|I do not have much experience with PAM, but in conversations with
|others relating to our Solaris servers (versions 2.6 thru 9), I'm under
|the impression that we are not using it.

You may not be customizing it or using advanced features, but it's
almost impossible to have a system you can login to without using it.

--
________________________________________________________________________

 http://www.csua.berkeley.edu/~alanc/   *   http://blogs.sun.com/alanc/
  Working for, but definitely not speaking for, Sun Microsystems, Inc.

For the value of almost impossible where:

        - you replaced /bin/login, sshd, dtlogin, and all daemons granting
          access with your own versions which avoid using PAM.

Casper

--
Expressed in this posting are my opinions.  They are in no way related
to opinions held by my employer, Sun Microsystems.
Statements on Sun products included here are not gospel and may
be fiction rather than truth.