Password (PAM) caching for Solaris su - "a la sudo"
By Darrenmoffat-Oracle on Nov 09, 2011
I talk to a lot of users about Solaris RBAC but many of them prefer to use sudo for various reasons. One the common usability features that users like is the that they don't have to continually type their password. This is because sudo uses a "ticket" system for caching the authentication for a defined period (by default 5 minutes).
By default the tickets are stored in /system/volatile/tty_tickets (/var/run is a symlink to /system/volatile now).
When using su(1M) the user you currently are is set in PAM_USER and PAM_AUSER is the user you are becoming (ie the username argument to su or root if one is not specified). The PAM module implements the caching using tickets, the internal format of the tickets is the same as what sudo uses. The location can be changed to be compatible with sudo so the same ticket can be used for su and sudo.
To enable pam_tty_tickets for su put the following into /etc/pam.conf (the module is in the pkg:/system/library package so it is always installed but not configured for use by default):
su auth required pam_unix_cred.so.1 su auth sufficient pam_tty_tickets.so.1 su auth requisite pam_authtok_get.so.1 su auth required pam_unix_auth.so.1
So what does it now look like:
braveheart:pts/3$ su - Password: root@braveheart:~# id -a uid=0(root) gid=0(root) groups=0(root),1(other),2(bin),3(sys),4(adm),5(uucp),6(mail),7(tty),8(lp),9(nuucp),12(daemon) darrenm@braveheart:~# exit braveheart:pts/3$ su - root@braveheart:~#
If you want to enable it in the desktop for gksu then you need to add a similar set of changes to /etc/pam.conf with the service name as "embedded_su" with the same modules as is listed above. The default timeout matches the sudo default of 5 minutes, the timeout= module option allows specifying a different timeout.
[ NOTE: The man page for pam_tty_tickets was mistakenly placed in section 1 for Solaris 11, it should have been in section 5. ]
Update for Solaris 11.1, now that we have /etc/pam.d/ support it is recommended that instead of updating /etc/pam.conf the following lines be placed into /etc/pam.d/su
auth sufficient pam_tty_tickets.so.1 auth definitive pam_user_policy.so.1 auth requisite pam_authtok_get.so.1 auth required pam_unix_auth.so.1 auth required pam_unix_cred.so.1