Manualshelf

User's Manual

ManualsBrandsSolaris ManualsSoftwareCX-310-301
61626364656667686970
Solaris 9 Security CX-310-301 61
¾ Control Flag – The deciding factor on what constitutes a success or failure – can be requisite,
required, optional or sufficient. When an auth module is used for example, the controls function
like this:
Requisite – The module being executed must be successful for any further authentication
to be allowed.
Required – The overall result of the authentication must be successful. If a failure occurs
in a module, all others are still tried, but an error is returned
Optional – This flag means that if a failure occurs in a module, then the overall result can
still be successful, if another module returns a successful completion
Sufficient – As long as this module is successful, then there is no need to run any others –
the authentication can finish and return successful
¾ Module Path – The pathname to the module
¾ Module Option(s) – Specific options that can be passed to the module, such as debug or
use_first_pass (this latter option allows the password entered by the user to be automatically
inserted in subsequent authentication modules, eliminating the need for the user to enter the
password multiple times)
Deploying PAM in a Production Environment
Before using PAM in a live environment, consider the following aspects:
¾ Choose the control flags carefully to ensure that the right level of security is being applied. This is
particularly relevant when deciding to use the sufficient or optional flags
¾ Decide which modules you need to use to obtain the required level of security
¾ Pay special attention to the services being used and highlight any that might need additional
authentication modules for added security
¾ Don’t apply unnecessary levels of security, they only serve to add to the complexity and the
overhead required
¾ Select the order in which modules should be used. If a failure will stop the entire authentication
process, then put this one above other, less important modules so that unnecessary processing is
avoided
Add a new PAM Module
Follow these steps when adding a new PAM module:
¾ Login and become superuser ( root )
¾ Ensure you have selected the type of authentication required as well as any options that might be
needed
¾ Install the new module in /usr/lib/security