Briefly: per-user PAM configuration introduces: - pam_eval(3PAM) -- a function to re-enter the PAM framework to evaluate a PAM configuration in a named file.
- pam_user_policy(5) -- a module to determine the PAM configuration to be used for the PAM_USER and then pam_eval() it. This is done by looking in the user's user_attr(4) entry, or in the user's profiles (including the profiles granted in policy.conf(4)) for an attribute named 'pam_policy' whose value names the configuration to use. - Various PAM configurations in /usr/lib/security/pam_*, similar to the existing pam_krb5_{first, only, optional} files. PSARC/2005/275 is now both, an open case and no longer blocked by a requirement that we modify SMC. http://www.opensolaris.org/os/community/arc/caselog/2005/275/ http://www.opensolaris.org/os/community/arc/caselog/2005/275/commitment-materials/ I've revived an old workspace with pam_user_policy bits and updated those bits. It's almost ready for a code review. I need to do some thorough testing first, looking for corner cases of pam_eval() vs. include interactions, for example (pam_eval() calls run_stack() to re-enter processing, and handling of pam_eval()/include nesting shares common code). In the process of reviving these bits I've realized that we'll probably want to follow up this project with the following enhancements: - Change the "All" RBAC profile to set pam_policy=pam_unix_only. - Change root's user_attr(4) entry to set pam_policy=pam_unix_only. - Change the user_attr(4) entry(ies) created (e.g., by the OpenSolaris installer) for local users to set pam_policy=pam_unix_only. - Change kclient(1M) so when given the -s option all it does is modify the pam_policy attribute of the "All" RBAC profile to use the given PAM configuration. If ldapclient(1M) mucks with /etc/pam.conf then we'll want to modify it in a similar way. - Since pam_tsol_account(5) returns PAM_IGNORE when the system is not labelled we might as well just put it into all the stock per-user PAM configuration choices. - /etc/pam.conf should be *very* simple on *new* installs, and we should simplify upgrade handling of pam.conf. Specifically /etc/pam.conf should mostly just invoke pam_user_policy.so.1 and on upgrade we should save the old pam.conf in /usr/lib/security/pam_customX and set the pam_policy attribute of the "All" RBAC profile to that. And we should encourage users to create new configurations as /usr/lib/security/pam_custom_*, and wherever possible to use the pam.conf include directive to include pre-existing configurations. So /etc/pam.conf should look something like: login auth required pam_user_policy.so.1 login auth required pam_dial_auth.so.1 rlogin auth sufficient pam_rhosts_auth.so.1 rlogin auth required pam_user_policy.so.1 krlogin auth required pam_unix_cred.so.1 krlogin auth required pam_krb5.so.1 rsh auth sufficient pam_rhosts_auth.so.1 rsh auth required pam_unix_cred.so.1 krsh auth required pam_unix_cred.so.1 krsh auth required pam_krb5.so.1 ktelnet auth required pam_unix_cred.so.1 ktelnet auth required pam_krb5.so.1 ppp auth required pam_user_policy.so.1 ppp auth required pam_dial_auth.so.1 passwd auth required pam_user_policy.so.1 cron account required pam_unix_account.so.1 other auth required pam_user_policy.so.1 other account required pam_user_policy.so.1 other session required pam_user_policy.so.1 other password required pam_user_policy.so.1 That is, most of /etc/pam.conf should move out into /usr/lib/security/pam_unix_only /usr/lib/security/pam_unix_or_ldap /usr/lib/security/pam_ldap_only /usr/lib/security/pam_krb5_first /usr/lib/security/pam_krb5_only /usr/lib/security/pam_krb5_optional and what remains should be those things that aren't common (specifically: references to pam_dial_auth.so.1 in the login and ppp services, and the cron, rlogin, rsh and k* services). Nico --