Our local Solaris ambassador has suggested I post this here. Let me start with one bit of info. We use a two factor authentication product named SafeWord (from Secure Computing). Our unix authentications happen via a PAM module provided with SafeWord.
I'm very interested (excited!) about the privilege model in Solaris 10, SO much better than the "UID 0 can do all, everyone else can do little" model. We've already used this to convert some application services from running as root to running as a non-root user with basic plus a few other privileges. I love it! My next use was gonna be to setup each of our sys admins with their own separate privileged userid with a UID of other than 0. That will make our sys admin work much more auditable. So, I defined some new userids and granted them all privileges (mine is named "jcolten"). But when I logged in to jcolten I had only BASIC privileges. HUH????? I also learned that if I use su to become that userid ... su - jcolten .... I get all the privileges! DOUBLE HUH???? And if I login via SSH using publickey authentication (which is early in the list of authentications and bypasses two factor) I get all the privileges.. DITTO HUH????? After a bunch of digging I learned that when I login via SSH using PAM authentication, privileges get setup by pam_unix_cred.so.1, called by PAM during the authentication process. Similarly, "authorizations" are handled by pam_unix_auth.so.1, also called by PAM. The pam.conf setup we use to call SafeWord bypasses pam_unix_cred.so.1 and pam_unix_auth.so.1 .... and there does not appear to be a workable PAM stack that avoids that without causing a lot of user confusion. Using DTrace Toolkit's opensnoop I see that the su command also seems to use those two Pam modules when changing effective UID to the new user. Ditto for SSH logins using public key auth. Those three "facts" seem to explain what I'm seeing when I do and don't get privs. PAM's rather limited "stack model" for describing how a service gets authenticated does not provide us with a way to accomplish a user friendly two factor login process and still get the services of pam_unix_auth.so.1 and pam_unix_auth.so.1. I'd like to make the case that PAM is not the place to setup privileges and authorizations, primarily because: 1. It is generally recognized that "identity" and "authorization" (which includes both Solaris privileges and Solaris authorizations) are separate things that should never be joined at the hip by the method in which they are implemented. 2. Solaris 10's approach makes an opportunity to make the result of an "ordinary SSH login" to a user yield results very different from what "su - userid" yields. 3. Similar with "ordinary SSH login" vs publickey SSH login Comments? This message posted from opensolaris.org
