Very Computer

I need to prevent direct access to several admin accounts in a Solaris 2.6
environment -- i.e. requiring users to su from their own valid accounts to
the restricted accounts.

I've come across several postings regarding using PAM to do this - specifically:
notingroup.c & pam_suonly.c.  However I've been unable to get either of these
working successfully on my own.

I'm not a programmer, so I can't tell if the code is correct as is.  Assuming
that it is, I've compiled & installed the resulting modules, but can't get
either one to work successfully.

Here are my questions:

What's the correct syntax for the /etc/pam.conf entries?
Should the third field be "requisite" or "required"?
How should the group be specified? (Assuming a group name of "suonly".)
 telnet  auth required   /usr/lib/security/pam_unix.so.1
 #telnet auth requisite  /usr/lib/security/notingroup.so.1 group=suonly
 #telnet auth requisite  /usr/lib/security/notingroup.so.1 suonly
 #telnet auth required   /usr/lib/security/pam_suonly.so.1 suonly
Is there a way to debug modules like this in order to get verbose output?
Any other advice on using PAM with Solaris 2.6?
Has anyone else had success with either of the modules listed above?
Any other advice or recommendations re: preventing users from logging in
directly with an admin account?

Regards,
Peter

Quote:>Here are my questions:

>What's the correct syntax for the /etc/pam.conf entries?
>Should the third field be "requisite" or "required"?
>How should the group be specified? (Assuming a group name of "suonly".)
> telnet  auth required   /usr/lib/security/pam_unix.so.1
> #telnet auth requisite  /usr/lib/security/notingroup.so.1 group=suonly
> #telnet auth requisite  /usr/lib/security/notingroup.so.1 suonly
> #telnet auth required   /usr/lib/security/pam_suonly.so.1 suonly
>Is there a way to debug modules like this in order to get verbose output?
>Any other advice on using PAM with Solaris 2.6?
>Has anyone else had success with either of the modules listed above?
>Any other advice or recommendations re: preventing users from logging in
>directly with an admin account?

>Regards,
>Peter

I have been using pam_suonly with great success on Solaris 2.6.  Because Solaris
2.6 does not ship with strlcpy, I borrowed strlcpy.c from the openbsd-compat
directory under OpenSSH, changed a few files around, and got pam_suonly to
compile. I've bundled all of this up, complete with a Makefile, available at
http://mysite.directlink.net/fortezzo/pam_suonly.tar.gz.  I've only tested this
with Solaris 2.6, so YMMV.

Here is what you need in your pam.conf for telnet:

telnet  auth required   /usr/lib/security/pam_unix.so.1
telnet  auth required   /usr/lib/security/pam_suonly.so.1 suonly

You will also need to put the respective entries in for the rest of your auth
modules (rsh, dtlogin, other, etc).

You can turn on debugging by specifying -DDEBUG when you compile, this is also
mentioned in the Makefile.

If you need more help, shoot me an email.

Jason Fortezzo                              
fortezzo at directlink dot net      
---
If you have any trouble sounding condescending,
find a Unix user to show you how it's done.
                    --Scott Adams

Regarding usage of 'notingroup.c' & 'pam_suonly.c' PAM modules on
Solaris 2.6 to prevent normal logins (restricting to su access
only)...

Here's the error when I use pam_suonly.c:

 login: joeuser
 Password:
 ld.so.1: login: fatal: relocation error: file
/usr/lib/security/pam_suonly_d.so.1: symbol strlcpy: referenced symbol
not found

And the lines from /etc/pam.conf:
  telnet  auth required   /usr/lib/security/pam_unix.so.1
  telnet  auth requisite  /usr/lib/security/pam_suonly.so.1 suonly

When I use notingroup.c, I get *no* errors, and I authenticate
normally.  Which is what I'm trying prevent...

Pertinent lines from /etc/pam.conf
 telnet  auth required   /usr/lib/security/pam_unix.so.1
 telnet  auth requisite  /usr/lib/security/notingroup.so.1 suonly

Quote:> >  How should the group be specified? (Assuming a group name of "suonly".)

> That should be written somewhere in the module documentation. It has
> nothing to do with the PAM framework. If there is no module documentation,
> then somebody would have to look at the code to see what it expects.

The module doc for notingroup.c shows this format:
  telnet  auth requisite  /usr/lib/security/notingroup.so.1
group=<name>

The module doc for pam_suonly.c shows this format:
  telnet  auth requisite  /usr/lib/security/pam_suonly.so.1 <name>

But when I try notingroup.c as follows:
  telnet  auth requisite  /usr/lib/security/notingroup.so.1
group=suonly
I can't login at all, I get repeated login/passwd prompts, for all
user/passwd combinations (even those *not* in the 'suonly' group.)

pkb

That's because Solaris 2.6 doesn't have strlcpy function. But you can
write your own, like this:

size_t strlcpy(char *dst, const char *src, size_t dstsize)
{
    size_t ret;

    ret = strlen(src);
    if(ret >= dstsize)
        ret = -1;

    strncpy(dst, src, dstsize - 1);
    *(dst + dstsize - 1) = 0;

    return ret;

Quote:}

Put the above piece of code in any of the files with .c extension for
which a file with .o extension exists (eg. if there are foo.c and foo.o
files in the directory, then put this at the end of foo.c) and recompile.

Quote:>  The module doc for notingroup.c shows this format:
>    telnet  auth requisite  /usr/lib/security/notingroup.so.1
>  group=<name>

>  The module doc for pam_suonly.c shows this format:
>    telnet  auth requisite  /usr/lib/security/pam_suonly.so.1 <name>

>  But when I try notingroup.c as follows:
>    telnet  auth requisite  /usr/lib/security/notingroup.so.1
>  group=suonly
>  I can't login at all, I get repeated login/passwd prompts, for all
>  user/passwd combinations (even those *not* in the 'suonly' group.)

Hm. Is there anything related to this in the logs (usually one of the
files in /var/log directory, perhaps /var/log/authlog)?

--
 .-.   .-.    Are you crying?  No, I'm bleeding.
(_  \ /  _)

     |

[[ PLEASE DON'T SEND ME EMAIL COPIES OF POSTINGS ]]

Quote:>Here's the error when I use pam_suonly.c:
> login: joeuser
> Password:
> ld.so.1: login: fatal: relocation error: file
>/usr/lib/security/pam_suonly_d.so.1: symbol strlcpy: referenced symbol
>not found

strlcpy() was introduced in Solaris 8; you need to compile your modules
for S2.6.

Casper
--
Expressed in this posting are my opinions.  They are in no way related
to opinions held by my employer, Sun Microsystems.
Statements on Sun products included here are not gospel and may
be fiction rather than truth.

[[ PLEASE DON'T SEND ME EMAIL COPIES OF POSTINGS ]]

It's supposed to always return "ret", not -1.

(-1 is not a valid size_t; size_t is unsigned).

strncpy() is very inefficient.

Casper
--
Expressed in this posting are my opinions.  They are in no way related
to opinions held by my employer, Sun Microsystems.
Statements on Sun products included here are not gospel and may
be fiction rather than truth.