[security-discuss] PAM and SunRay Server

Coy Hile Wed, 21 Mar 2007 22:37:06 PDT

Hi all,

I'm having some difficulty massaging the PAM stack that gets installed by SRSS 
to do my bidding on Solaris 10.  I've got a custom PAM module (Douglas Engert's 
pam_afs2.so) which I use to get AFS tokens after a user has logged in.   The 
setup I have which works for me for ssh is thus:


%%%% SSH SECTION %%%%
# Used if PasswrodAutheitication yes os set:
sshd-password   auth requisite          pam_authtok_get.so.1
sshd-password   auth required           pam_dhkeys.so.1
sshd-password   auth required           pam_unix_cred.so.1
##sshd-password auth sufficient         /local/lib/pam_radius_auth.so.1 use_firs
t_pass
sshd-password   auth sufficient         pam_krb5.so.1
# allows login with local password
#sshd-password  auth required           pam_unix_auth.so.1

sshd-password   account requisite   pam_roles.so.1
sshd-password   account required    pam_unix_account.so.1
sshd-password   account required    /local/lib/pam_krb5_ccache.so.1 ccache=/tmp/
krb5cc_%u_%p

sshd-password   session required        pam_unix_session.so.1
sshd-password   session required        /local/lib/pam_afs2.so.1
%%%% END SSH SECTION %%%

the pam_krb5_ccache module simply gives me session-based krb caches for ssh 
sessions.  For vanilla dtlogin and dtsession, I've got the following (supplied 
by Doug that he uses in production):

%%%% DTLOGIN SECTION OF pam.conf 
#DEE smartcard failed, so skip it for now
#dtlogin        auth requisite          pam_smartcard.so.1
dtlogin         auth requisite          pam_authtok_get.so.1
dtlogin         auth required           pam_dhkeys.so.1
dtlogin         auth required           pam_unix_cred.so.1
dtlogin         auth optional           pam_krb5.so.1
dtlogin         auth required           /local/lib/pam_afs2.so.1
# allows password login
dtlogin         auth optional           pam_unix_auth.so.1
#
#
# dtsession - lock/unlock screen, refresh creds and AFS token
#
dtsession       auth requisite          pam_authtok_get.so.1
dtsession       auth required           pam_dhkeys.so.1
dtsession       auth optional           pam_krb5.so.1
dtsession       auth required           /local/lib/pam_afs2.so.1 nopag
# allows unlock with local password
dtsession       auth optional           pam_unix_auth.so.1
%%%% END DTLOGIN SECTION OF pam.conf %%%%

My question is thus: Given the following as what is inserted by the SRSS 
install, what's the appropriate additions/deletions to get me analogous 
functionality to dtlogin/dtsession referenced above?

%%%% ADDED BY SRSS INSTALL %%%%
# added to dtlogin-SunRay by SunRay Server Software -- dtlogin-SunRay
dtlogin-SunRay session required pam_unix_session.so.1
dtlogin-SunRay password required pam_dhkeys.so.1
dtlogin-SunRay password requisite pam_authtok_get.so.1
dtlogin-SunRay password requisite pam_authtok_check.so.1
dtlogin-SunRay password required pam_authtok_store.so.1
dtlogin-SunRay auth sufficient /opt/SUNWut/lib/pam_sunray.so
dtlogin-SunRay auth requisite /opt/SUNWut/lib/sunray_get_user.so.1 
property=username
dtlogin-SunRay auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1
dtlogin-SunRay auth requisite /opt/SUNWut/lib/sunray_get_user.so.1 prompt
dtlogin-SunRay auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1 clearuser
dtlogin-SunRay auth requisite pam_authtok_get.so.1
dtlogin-SunRay auth required pam_dhkeys.so.1
#dtlogin-SunRay auth required pam_unix_cred.so.1
dtlogin-SunRay auth required pam_unix_auth.so.1  
# allows password login
dtlogin-SunRay account sufficient /opt/SUNWut/lib/pam_sunray.so
dtlogin-SunRay account requisite pam_roles.so.1
dtlogin-SunRay account required pam_unix_account.so.1
# added to dtsession-SunRay by SunRay Server Software -- dtsession-SunRay
dtsession-SunRay auth sufficient /opt/SUNWut/lib/pam_sunray.so syncondisplay
dtsession-SunRay auth requisite pam_authtok_get.so.1
dtsession-SunRay auth required pam_dhkeys.so.1
dtsession-SunRay auth required pam_unix_cred.so.1
dtsession-SunRay auth required pam_unix_auth.so.1
dtsession-SunRay account requisite pam_roles.so.1
dtsession-SunRay session required pam_unix_session.so.1
dtsession-SunRay password required pam_dhkeys.so.1
dtsession-SunRay password requisite pam_authtok_get.so.1
dtsession-SunRay password requisite pam_authtok_check.so.1
dtsession-SunRay password required pam_authtok_store.so.1
# added to utnsclogin by SunRay Server Software -- utnsclogin
utnsclogin account requisite pam_roles.so.1
utnsclogin account required pam_unix_account.so.1
utnsclogin session required pam_unix_session.so.1
utnsclogin password required pam_dhkeys.so.1
utnsclogin password requisite pam_authtok_get.so.1
utnsclogin password requisite pam_authtok_check.so.1
utnsclogin password required pam_authtok_store.so.1
utnsclogin auth requisite /opt/SUNWut/lib/sunray_get_user.so.1 property=usernam
e
utnsclogin auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1
utnsclogin auth requisite pam_authtok_get.so.1
utnsclogin auth required pam_dhkeys.so.1
utnsclogin auth required pam_unix_cred.so.1
utnsclogin auth required pam_unix_auth.so.1
# added to utadmingui by SunRay Server Software -- utadmingui
utadmingui auth sufficient /opt/SUNWut/lib/pam_sunray_admingui.so.1
## added to utgulogin by SunRay Server Software -- utgulogin
utgulogin auth requisite /opt/SUNWut/lib/sunray_get_user.so.1 property=username
utgulogin auth requisite /opt/SUNWut/lib/sunray_get_user.so.1 
token=auth,JavaBadge
utgulogin auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1
utgulogin auth requisite /opt/SUNWut/lib/sunray_get_user.so.1 prompt
utgulogin auth required /opt/SUNWut/lib/pam_sunray_amgh.so.1
%%%% END SRSS SECTION %%%%

Unfortunately, I can't find much in the documentation referencing how SRSS uses 
PAM nor what those additional PAM modules do.  Any help is appreciated.
 
 
This message posted from opensolaris.org

[security-discuss] PAM and SunRay Server

Reply via email to