> Let me start with one bit of info. We use a two factor authentication
> product named SafeWord (from Secure Computing). Our unix authentications
> happen via a PAM module provided with SafeWord.
`
Do you use that for all services, or just the one you use as a
direct login? You'll see more later why I ask.
> I'm very interested (excited!) about the privilege model in Solaris 10,
> SO much better than the "UID 0 can do all, everyone else can do little"
> model. We've already used this to convert some application services from
> running as root to running as a non-root user with basic plus a few other
> privileges. I love it! My next use was gonna be to setup each of our sys
> admins with their own separate privileged userid with a UID of other than
> 0. That will make our sys admin work much more auditable.
Why? Why not use roles and Rights Profiles to do their work?
See rbac(5) and docs.sun.com on Role Based Access Control,
Rights Profiles, ...
With Solaris Auditing enabled, you always know who the real user
is. Furthermore when a user enters a role, the profile shells
will audit the commands run.
> So, I defined some new userids and granted them all privileges (mine is
> named "jcolten"). But when I logged in to jcolten I had only BASIC
> privileges. HUH?????
Reading ahead and from my first comment, either your configuration
or SafeWord's PAM service module is wrong, or the service module
doesn't follow proper service module coding. RTM pam_unix_cred(5).
The pam_unix_cred module implements pam_sm_setcred(3PAM). It
provides functions that establish user credential informa-
tion. It is a module separate from the pam_unix_auth(5)
module to allow replacement of the authentication func-
tionality independently from the credential functionality.
The pam_unix_cred module must always be stacked along with
whatever authentication module is used to ensure correct
credential setting.
Privileges are part of the user's credentials. If your use of
SafeWord bypasses properly setting up the user's Solaris credential
structure, you get what you asked for.
> I also learned that if I use su to become that userid ... su - jcolten
> .... I get all the privileges! DOUBLE HUH????
See above, unless the su PAM stack has also been misconfigured,
it will have called pam_unix_cred(5), thus correctly setting up
the credential structure.
> And if I login via SSH using publickey authentication (which is early in the
> list of authentications and bypasses two factor) I get all the privileges..
> DITTO HUH?????
>
> After a bunch of digging I learned that when I login via SSH using PAM
> authentication, privileges get setup by pam_unix_cred.so.1, called by PAM
> during the authentication process. Similarly, "authorizations" are handled
> by pam_unix_auth.so.1, also called by PAM. The pam.conf setup we use to
> call SafeWord bypasses pam_unix_cred.so.1 and pam_unix_auth.so.1 ....
> and there does not appear to be a workable PAM stack that avoids that
> without causing a lot of user confusion.
HUH???? Either there is a misunderstanding of PAM being displayed
here, or your SafeWord vendor needs to correct their code or
documentation.
Again RTM pam.conf(4), pam_unix_cred(5). docs.sun.com has
a good discussion of configuring PAM stacks. I suggest you
read that as well.
> Using DTrace Toolkit's opensnoop I see that the su command also seems to use
> those two Pam modules when changing effective UID to the new user. Ditto
> for SSH logins using public key auth.
>
> Those three "facts" seem to explain what I'm seeing when I do and don't
> get privs. PAM's rather limited "stack model" for describing how a service
> gets authenticated does not provide us with a way to accomplish a user
> friendly two factor login process and still get the services of
> pam_unix_auth.so.1 and pam_unix_auth.so.1.
Again, I believe there's a lack of trying to understand. Please read
the Solaris documentation, or contact Sun professional services for
to improve your understanding.
I'd like to understand what you mean by
``PAM's rather limited "stack model" for describing how a
service gets authenticated does not provide us with a way
to accomplish a user friendly two factor login process and
still get the services of pam_unix_auth.so.1 and
pam_unix_cres.so.1. [sic]''
What model do you have in mind that is more expansive?
> I'd like to make the case that PAM is not the place to setup privileges and
> authorizations, primarily because:
>
> 1. It is generally recognized that "identity" and "authorization"
> (which includes both Solaris privileges and Solaris authorizations) are
> separate things that should never be joined at the hip by the method in
> which they are implemented.
> 2. Solaris 10's approach makes an opportunity to make the result of an
> "ordinary SSH login" to a user yield results very different from what
> "su - userid" yields.
> 3. Similar with "ordinary SSH login" vs publickey SSH login
>
> Comments?
PAM, from the time Sun invented it, has always had multiple
functions that deal with Identification, Authentication,
Credential and Session initialization, and authientication
token update. It allows the administrator to configure
local site policies for all these things. Indeed it even
permits others to create custom policy modules (as SafeWord ;-)
Broadly it allow an administrator to set login policy for
all login and other authentication (viz su) paths without code
changes to any of them.
Additionally, in Solaris privileges and authorizations are
separate concepts. RTM about RBAC and Process Rights Attributes
in docs.sun.com.
Authorizations are associated with identities (user and role).
Privileges are asociated with processes.
Gary..
