I need to prevent direct access to several admin accounts in a Solaris 2.6
environment -- i.e. requiring users to su from their own valid accounts to
the restricted accounts.
I've come across several postings regarding using PAM to do this - specifically:
notingroup.c & pam_suonly.c. However I've been unable to get either of these
working successfully on my own.
I'm not a programmer, so I can't tell if the code is correct as is. Assuming
that it is, I've compiled & installed the resulting modules, but can't get
either one to work successfully.
Here are my questions:
What's the correct syntax for the /etc/pam.conf entries?
Should the third field be "requisite" or "required"?
How should the group be specified? (Assuming a group name of "suonly".)
telnet auth required /usr/lib/security/pam_unix.so.1
#telnet auth requisite /usr/lib/security/notingroup.so.1 group=suonly
#telnet auth requisite /usr/lib/security/notingroup.so.1 suonly
#telnet auth required /usr/lib/security/pam_suonly.so.1 suonly
Is there a way to debug modules like this in order to get verbose output?
Any other advice on using PAM with Solaris 2.6?
Has anyone else had success with either of the modules listed above?
Any other advice or recommendations re: preventing users from logging in
directly with an admin account?