Board index Solaris

pam modules under Solaris 2.6

pam modules under Solaris 2.6

Post by Matthias Ern » Thu, 30 Apr 1998 04:00:00



Hi everybody,

I have a question about adding a pam module under Solaris 2.6.

I want to add a pam module which does one time password authen-
tication (OPIE) but I am unsure how to add the module to the
stack in pam.conf.

The module should do the following: Check if the login is a
remote login from a non local network. If it is non local do
OPIE authentication but no unix passwd authentication since
we do not want the unix password to be transmitted over the
network. If it is a local login (i.e. on the local network)
then do not do OPIE authentication but just do normal unix
type password authentication. I have written (but not yet
tested) such a module based on a Linux pam_opie implementation
but the problem is how to add it to the pam.conf file.

I could do the following in /etc/pam.conf:

login   auth sufficient /usr/lib/security/pam_opie.so.1
login   auth required   /usr/lib/security/pam_unix.so.1
login   auth required   /usr/lib/security/pam_dial_auth.so.1

If somebody logs in from remote and gives the correct OPIE key
then he can log in without giving the unix passwd. However, if
he gives the wrong response then pam_unix will ask for the
unix password which is not what we want. Or is this a mis-
understanding of the working of pam? If somebody logs in from
the local network I can return PAM_IGNORE and do normal unix
password authentication.

The second option is the following /etc/pam.conf:

login   auth requisite  /usr/lib/security/pam_opie.so.1
login   auth required   /usr/lib/security/pam_unix.so.1
login   auth required   /usr/lib/security/pam_dial_auth.so.1

Now, if somebody logs in from a remote network and gives the
wrong OPIE key, then access is immediately denied, but when he
gives the correct key, then he still has to pass the unix
password authentication which is also not what we want. A
local user works the same way as in the first option.

I can not see a way to achieve what I want except when I also
include normal unix password authentication into the pam_opie
module which is not what I want.

I would appreciate any hints on how to solve this problem.

Best Regards,

Matthias

+----------------------------------------+-----------------------------------+
| Matthias Ernst                         | Phone: +31-24-365-3122            |
| Laboratory for Physical Chemistry      | Fax:   +31-24-365-2112            |

| Toernooiveld 1                         |                                   |
| 6525 ED Nijmegen, The Netherlands      |                                   |
+----------------------------------------+-----------------------------------+
--
+----------------------------------------+-----------------------------------+
| Matthias Ernst                         | Phone: +31-24-365-3122            |
| Laboratory for Physical Chemistry      | Fax:   +31-24-365-2112            |

| Toernooiveld 1                         |                                   |
| 6525 ED Nijmegen, The Netherlands      |                                   |
+----------------------------------------+-----------------------------------+
| New address effective 1 July           | Phone: +41-1-632-4374             |
| Laboratorium fuer physikalische Chemie | Fax:   +41-1-632-1021             |
| Eidgenoessische Technische Hochschule  |                                   |

 
 
 
Top

1. Solaris 2.6 PAM assistance - restricting direct login access

I need to prevent direct access to several admin accounts in a Solaris 2.6
environment -- i.e. requiring users to su from their own valid accounts to
the restricted accounts.

I've come across several postings regarding using PAM to do this - specifically:
notingroup.c & pam_suonly.c.  However I've been unable to get either of these
working successfully on my own.

I'm not a programmer, so I can't tell if the code is correct as is.  Assuming
that it is, I've compiled & installed the resulting modules, but can't get
either one to work successfully.

Here are my questions:

What's the correct syntax for the /etc/pam.conf entries?
Should the third field be "requisite" or "required"?
How should the group be specified? (Assuming a group name of "suonly".)
 telnet  auth required   /usr/lib/security/pam_unix.so.1
 #telnet auth requisite  /usr/lib/security/notingroup.so.1 group=suonly
 #telnet auth requisite  /usr/lib/security/notingroup.so.1 suonly
 #telnet auth required   /usr/lib/security/pam_suonly.so.1 suonly
Is there a way to debug modules like this in order to get verbose output?
Any other advice on using PAM with Solaris 2.6?
Has anyone else had success with either of the modules listed above?
Any other advice or recommendations re: preventing users from logging in
directly with an admin account?

Regards,
Peter

2. gtk question

3. moderators file

4. PAM problem on solaris 2.6

5. Sound server under Kde?

6. Pam on Solaris 2.6

7. Cable Network Problem

8. Strict Password Policy and PAM on Solaris 2.6

9. can't read Solaris 2.6 x86 hard disk on Solaris 2.6 Ultra-1 ?!?

10. Upgrade from Solaris 2.6 with Volume Manager 2.6 to Solaris 8 with Volume Manager 3.2

11. Anyone have written devices/drivers/module on solaris 2.6?

12. Apache Shared Modules on Sun Sparc Solaris 2.6


All times are UTC
Board index