Example--Initiating PAM Error Reporting

In the following example, all alert messages are displayed on the console. Critical messages are mailed to root. Informational and debug messages are added to the /var/log/pamlog file.

auth.alert	/dev/console
auth.crit	'root'
auth.info;auth.debug	/var/log/pamlog

Each line in the log contains a time stamp, the name of the system that generated the message, and the message itself. The pamlog file is capable of logging a large amount of information.

PAM (Reference)

PAM uses run-time pluggable modules to provide authentication for system entry services. These modules are broken into four different types, based on their function:

authentication
account management
session management
password management

A stacking feature is provided to let you authenticate users through multiple services. Also provided is a password-mapping feature to not require that users remember multiple passwords.

PAM Modules

Each PAM module implements a specific mechanism. When you set up PAM authentication, you need to specify both the module and the module type, which defines what the module does. More than one module type (auth, account, session, or password) can be associated with each module.

The following table describes each PAM module, and includes the module name and the module file name. The path of each module is determined by the instruction set that is available in the Solaris release that is installed. The default path to the modules is /usr/lib/security/$ISA. The value for $ISA could be sparc or i386. See the isalist(5) man page for more information.

Table 3-1 PAM Modules

Module Name and Module File Name	Description
`authtok_check` `pam_authtok_check.so.1`	Provides support for password management. This module performs various checks on passwords, such as checking the length of the password, for circular shift of the login name, for password complexity, and for the amount of variation between new passwords and old passwords. See `pam_authtok_check`(5) for more information.
`authtok_get` `pam_authtok_get.so.1`	Provides password prompting for authentication and password management. See `pam_authtok_get`(5) for more information.
`authtok_store` `pam_authtok_store.so.1`	Provides support for authentication only. This module updates the authentication token for the user. After the successful update, the module stores the token in the specified repository or default repository. See `pam_authtok_store`(5) for more information.
`dhkeys` `pam_dhkeys.so.1`	Provides support for Diffie-Hellman key management in authentication. This module supports Secure RPC authentication and Secure RPC authentication token management. See `pam_dhkeys`(5) for more information.
`dial_auth` `pam_dial_auth.so.1`	Can only be used for authentication. This module uses that is data stored in the `/etc/dialups` and `/etc/d_passwd` files for authentication. This module is mainly used by the `login` command. See `pam_dial_auth`(5) for more information.
`krb5` `pam_krb5_auth.so.1`	Provides support for authentication, account management, session management, and password management. Kerberos credentials are used for authentication. See `pam_krb5`(5) for more information.
`ldap` `pam_ldap.so.1`	Provides support for authentication and password management. Data from an LDAP server are used for authentication. See `pam_ldap`(5) for more information.
`projects` `pam_projects.so.1`	Provides support for account management. See `pam_projects`(5) for more information.
`rhosts_auth` `pam_rhosts_auth.so.1`	Can only be used for authentication. This module uses data that is stored in the `~/.rhosts` and `/etc/host.equiv` files through the `ruserok()` routine. This module is mainly used by the `rlogin` and `rsh` commands. See `pam_rhosts_auth`(5) for more information.
`roles` `pam_roles.so.1`	Provides support for account management only. The RBAC `user_attr` database determines the roles a user can assume. See `pam_roles`(5) for more information.
`sample` `pam_sample.so.1`	Provides support for authentication, account management, session management, and password management. Used for testing. See `pam_sample`(5) for more information.
`smartcard` `pam_smartcard.so.1`	Provides support for authentication only. See `pam_smartcard`(5) for more information.
`unix` `pam_unix.so.1`	Provides support for authentication, account management, session management, and password management. Any of the four module type definitions can be used with this module. This module uses UNIX passwords for authentication. In the Solaris environment, the selection of appropriate name services to get password records is controlled through the `/etc/nsswitch.conf` file. See `pam_unix`(5) for more information.
`unix_account` `pam_unix_account.so.1`	Provides support for account management. This module retrieves password aging information from the repository specified in the `nsswitch.conf` file and verifies that the password and the user's account have not expired. See `pam_unix_account`(5) for more information.
`unix_auth` `pam_unix_auth.so.1`	Provides support for authentication. This module verifies that the password contained in the PAM handle is the correct password for the user's password in the specified repository or default repository. See `pam_unix_auth`(5) for more information.
`unix_session` `pam_unix_session.so.1`	Provides support for session management. This module initiates session management by updating the `/var/adm/lastlog` file. See `pam_unix_session`(5) for more information.

For security reasons, these module files must be owned by root and must not be writable through group or other permissions. If the file is not owned by root, PAM will not load the module.

PAM Module Types

It is important to understand the PAM module types because they define the interface to the module. Here are the four types of run-time PAM modules:

The authentication modules provide authentication for the users and allow for credentials to be set, refreshed, or destroyed. They provide a valuable administration tool for user identification.
The account modules check for password aging, account expiration, and access hour restrictions. After the user is identified through the authentication modules, the account modules determine if the user should be given access.
The session modules manage the opening and the closing of an authentication session. They can log activity or provide for clean-up after the session is over.
The password modules allow for changes to the actual password.

PAM Configuration File

The PAM configuration file, /etc/pam.conf, determines the authentication services to be used, and in what order they are used. This file can be edited to select authentication mechanisms for each system entry application.

PAM Configuration File Syntax

The PAM configuration file consists of entries with the following syntax:

service_name module_type control_flag module_path module_options

service_name	Is the name of the service (for example, `ftp`, `login`, `telnet`).
module_type	Is the module type for the service. For more information see "PAM Module Types".
control_flag	Determines the continuation or failure behavior for the module.
module_path	Specifies the path to the library object that implements the service.
module_options	Specifies the options that are passed to the service modules.

You can add comments to the pam.conf file by starting the line with a # (pound sign). Use white spaces or tabs to delimit the fields.

Note - An entry in the PAM configuration file is ignored if one of the following conditions exist: the line has less than four fields, an invalid value is given for module_type or control_flag, or the named module does not exist.

Valid Service Names

The following table lists some valid service names, the module types that can be used with that service, and the daemon or command that is associated with the service name.

Not all module types are appropriate for each service. For example, the password module type is appropriate for only the passwd command. Also, since the passwd command is not concerned with authentication, there is no auth module type associated with it.

Table 3-2 Valid Service Names for the /etc/pam.conf File

Service Name	Daemon or Command	Applicable Module Types
`cron`	`/usr/sbin/cron`	`auth, account`
`dtlogin`	`/usr/dt/bin/dtlogin`	`auth, account, session`
`dtsession`	`/usr/dt/bin/dtsession`	`auth`
`ftp`	`/usr/sbin/in.ftpd`	`auth, account, session`
`init`	`/usr/sbin/init`	`session`
`login`	`/usr/bin/login`	`auth, account, session`
`passwd`	`/usr/bin/passwd`	`password`
`ppp`	`/usr/bin/ppp`	`auth, account, session`
`rexd`	`/usr/sbin/rpc.rexd`	`account, session`
`rlogin`	`/usr/sbin/in.rlogind`	`auth, account, session`
`rsh`	`/usr/sbin/in.rshd`	`auth, account, session`
`sac`	`/usr/lib/saf/sac`	`session`
`ssh`	`/usr/bin/ssh`	`auth, account, session`
`su`	`/usr/bin/su`	`auth, account`
`telnet`	`/usr/sbin/in.telnetd`	`auth, account, session`
`ttymon`	`/usr/lib/saf/ttymon`	`session`
`uucp`	`/usr/sbin/in.uucpd`	`auth, account, session`


3. Using Authentication Services (Tasks) PAM (Tasks) How to Initiate PAM Error Reporting