Solaris 2.6 PAM assistance - restricting direct login access

Solaris 2.6 PAM assistance - restricting direct login access

Post by Peter K. Bella » Wed, 27 Jun 2001 06:16:19



I need to prevent direct access to several admin accounts in a Solaris 2.6
environment -- i.e. requiring users to su from their own valid accounts to
the restricted accounts.

I've come across several postings regarding using PAM to do this - specifically:
notingroup.c & pam_suonly.c.  However I've been unable to get either of these
working successfully on my own.

I'm not a programmer, so I can't tell if the code is correct as is.  Assuming
that it is, I've compiled & installed the resulting modules, but can't get
either one to work successfully.

Here are my questions:

What's the correct syntax for the /etc/pam.conf entries?
Should the third field be "requisite" or "required"?
How should the group be specified? (Assuming a group name of "suonly".)
 telnet  auth required   /usr/lib/security/pam_unix.so.1
 #telnet auth requisite  /usr/lib/security/notingroup.so.1 group=suonly
 #telnet auth requisite  /usr/lib/security/notingroup.so.1 suonly
 #telnet auth required   /usr/lib/security/pam_suonly.so.1 suonly
Is there a way to debug modules like this in order to get verbose output?
Any other advice on using PAM with Solaris 2.6?
Has anyone else had success with either of the modules listed above?
Any other advice or recommendations re: preventing users from logging in
directly with an admin account?

Regards,
Peter

 
 
 

Solaris 2.6 PAM assistance - restricting direct login access

Post by Drazen Kac » Wed, 27 Jun 2001 07:14:31



>  I'm not a programmer, so I can't tell if the code is correct as is.  Assuming
>  that it is, I've compiled & installed the resulting modules, but can't get
>  either one to work successfully.

Can you describe what happens when you try to use them?

Quote:>  Here are my questions:

>  What's the correct syntax for the /etc/pam.conf entries?

That's in the pam.conf(4) man page. Any specific questions (aside from the
one below)?

Quote:>  Should the third field be "requisite" or "required"?

Depends on what you want to do. If it's requisite and it returns failure,
the system won't call any of the modules below it (for a given service)
and the login would fail. If it's required, then the system would call all
the modules for a given service, but the login would still fail. For your
immediate purposes, any of them should be OK.

But you could try to put your modules in front of the pam_unix. It
shouldn't make a difference, but all kinds of bugs are possible, so maybe.

Quote:>  How should the group be specified? (Assuming a group name of "suonly".)

That should be written somewhere in the module documentation. It has
nothing to do with the PAM framework. If there is no module documentation,
then somebody would have to look at the code to see what it expects.

Quote:>  Is there a way to debug modules like this in order to get verbose output?

They usually log things with syslog service, so you should be able to find
something there. The convention is to specify "debug" as a parameter to
module if you want debugging messages as well. This doesn't have to work
with your modules, but it's worth a try.

--
 .-.   .-.    Are you crying?  No, I'm bleeding.
(_  \ /  _)

     |

 
 
 

Solaris 2.6 PAM assistance - restricting direct login access

Post by Peter K. Bella » Thu, 28 Jun 2001 02:53:41


Regarding usage of 'notingroup.c' & 'pam_suonly.c' PAM modules on
Solaris 2.6 to prevent normal logins (restricting to su access
only)...


> Can you describe what happens when you try to use them?

Here's the error when I use pam_suonly.c:

 login: joeuser
 Password:
 ld.so.1: login: fatal: relocation error: file
/usr/lib/security/pam_suonly_d.so.1: symbol strlcpy: referenced symbol
not found

And the lines from /etc/pam.conf:
  telnet  auth required   /usr/lib/security/pam_unix.so.1
  telnet  auth requisite  /usr/lib/security/pam_suonly.so.1 suonly

When I use notingroup.c, I get *no* errors, and I authenticate
normally.  Which is what I'm trying prevent...

Pertinent lines from /etc/pam.conf
 telnet  auth required   /usr/lib/security/pam_unix.so.1
 telnet  auth requisite  /usr/lib/security/notingroup.so.1 suonly

Quote:> >  How should the group be specified? (Assuming a group name of "suonly".)

> That should be written somewhere in the module documentation. It has
> nothing to do with the PAM framework. If there is no module documentation,
> then somebody would have to look at the code to see what it expects.

The module doc for notingroup.c shows this format:
  telnet  auth requisite  /usr/lib/security/notingroup.so.1
group=<name>

The module doc for pam_suonly.c shows this format:
  telnet  auth requisite  /usr/lib/security/pam_suonly.so.1 <name>

But when I try notingroup.c as follows:
  telnet  auth requisite  /usr/lib/security/notingroup.so.1
group=suonly
I can't login at all, I get repeated login/passwd prompts, for all
user/passwd combinations (even those *not* in the 'suonly' group.)

pkb

 
 
 

Solaris 2.6 PAM assistance - restricting direct login access

Post by Drazen Kac » Thu, 28 Jun 2001 03:34:06




> > Can you describe what happens when you try to use them?

>  Here's the error when I use pam_suonly.c:

>   login: joeuser
>   Password:
>   ld.so.1: login: fatal: relocation error: file
>  /usr/lib/security/pam_suonly_d.so.1: symbol strlcpy: referenced symbol
>  not found

That's because Solaris 2.6 doesn't have strlcpy function. But you can
write your own, like this:

size_t strlcpy(char *dst, const char *src, size_t dstsize)
{
    size_t ret;

    ret = strlen(src);
    if(ret >= dstsize)
        ret = -1;

    strncpy(dst, src, dstsize - 1);
    *(dst + dstsize - 1) = 0;

    return ret;

Quote:}

Put the above piece of code in any of the files with .c extension for
which a file with .o extension exists (eg. if there are foo.c and foo.o
files in the directory, then put this at the end of foo.c) and recompile.

Quote:>  The module doc for notingroup.c shows this format:
>    telnet  auth requisite  /usr/lib/security/notingroup.so.1
>  group=<name>

>  The module doc for pam_suonly.c shows this format:
>    telnet  auth requisite  /usr/lib/security/pam_suonly.so.1 <name>

>  But when I try notingroup.c as follows:
>    telnet  auth requisite  /usr/lib/security/notingroup.so.1
>  group=suonly
>  I can't login at all, I get repeated login/passwd prompts, for all
>  user/passwd combinations (even those *not* in the 'suonly' group.)

Hm. Is there anything related to this in the logs (usually one of the
files in /var/log directory, perhaps /var/log/authlog)?

--
 .-.   .-.    Are you crying?  No, I'm bleeding.
(_  \ /  _)

     |

 
 
 

Solaris 2.6 PAM assistance - restricting direct login access

Post by Casper H.S. Dik - Network Security Engine » Thu, 28 Jun 2001 05:12:48


[[ PLEASE DON'T SEND ME EMAIL COPIES OF POSTINGS ]]


Quote:>Here's the error when I use pam_suonly.c:
> login: joeuser
> Password:
> ld.so.1: login: fatal: relocation error: file
>/usr/lib/security/pam_suonly_d.so.1: symbol strlcpy: referenced symbol
>not found

strlcpy() was introduced in Solaris 8; you need to compile your modules
for S2.6.

Casper
--
Expressed in this posting are my opinions.  They are in no way related
to opinions held by my employer, Sun Microsystems.
Statements on Sun products included here are not gospel and may
be fiction rather than truth.

 
 
 

Solaris 2.6 PAM assistance - restricting direct login access

Post by Casper H.S. Dik - Network Security Engine » Thu, 28 Jun 2001 05:14:38


[[ PLEASE DON'T SEND ME EMAIL COPIES OF POSTINGS ]]


>That's because Solaris 2.6 doesn't have strlcpy function. But you can
>write your own, like this:
>size_t strlcpy(char *dst, const char *src, size_t dstsize)
>{
>    size_t ret;
>    ret = strlen(src);
>    if(ret >= dstsize)
>        ret = -1;
>    strncpy(dst, src, dstsize - 1);
>    *(dst + dstsize - 1) = 0;
>    return ret;

It's supposed to always return "ret", not -1.

(-1 is not a valid size_t; size_t is unsigned).

strncpy() is very inefficient.

Casper
--
Expressed in this posting are my opinions.  They are in no way related
to opinions held by my employer, Sun Microsystems.
Statements on Sun products included here are not gospel and may
be fiction rather than truth.

 
 
 

1. Solaris 2.6 PAM assistance - restricting direct login access

I need to prevent direct access to several admin accounts in a Solaris 2.6
environment -- i.e. requiring users to su from their own valid accounts to
the restricted accounts.

I've come across several postings regarding using PAM to do this - specifically:
notingroup.c & pam_suonly.c.  However I've been unable to get either of these
working successfully on my own.

I'm not a programmer, so I can't tell if the code is correct as is.  Assuming
that it is, I've compiled & installed the resulting modules, but can't get
either one to work successfully.

Here are my questions:

What's the correct syntax for the /etc/pam.conf entries?
Should the third field be "requisite" or "required"?
How should the group be specified? (Assuming a group name of "suonly".)
 telnet  auth required   /usr/lib/security/pam_unix.so.1
 #telnet auth requisite  /usr/lib/security/notingroup.so.1 group=suonly
 #telnet auth requisite  /usr/lib/security/notingroup.so.1 suonly
 #telnet auth required   /usr/lib/security/pam_suonly.so.1 suonly
Is there a way to debug modules like this in order to get verbose output?
Any other advice on using PAM with Solaris 2.6?
Has anyone else had success with either of the modules listed above?
Any other advice or recommendations re: preventing users from logging in
directly with an admin account?

Regards,
Peter

2. Live upgrade Solaris10 b72 - kernel panic

3. Restricting direct login to an account (under Solaris 2.6)

4. Walnut Creek home page address

5. How can one restrict remote login access to a Solaris 2.6 machine?

6. Does NEC-260 CDROM play music yet?

7. How can one restrict remote login access to a Solaris 2.6 machine via ssh or ftp?

8. Internet connection problem

9. restricting login to "su-only" under Solaris 2.6

10. FS: SOLARIS 7 SERVER, SOLARIS EASY ACCESS 2.0, SOLARIS 2.6 KIT

11. Installing Websphere 3.5 with Solaris 2.6 assistance

12. How do I restrict direct login for specific users?

13. Restricting direct logins