Wednesday Nov 09, 2011

Password (PAM) caching for Solaris su - "a la sudo"

I talk to a lot of users about Solaris RBAC but many of them prefer to use sudo for various reasons.  One the common usability features that users like is the that they don't have to continually type their password.  This is because sudo uses a "ticket" system for caching the authentication for a defined period (by default 5 minutes).

To bring this usability feature to Solaris 11 I wrote a new PAM module (pam_tty_tickets) that provides a similar style of caching for Solaris roles. 

By default the tickets are stored in /system/volatile/tty_tickets (/var/run is a symlink to /system/volatile now). 

When using su(1M) the user you currently are is set in PAM_USER and PAM_AUSER is the user you are becoming (ie the username argument to su or root if one is not specified).  The PAM module implements the caching using tickets, the internal format of the tickets is the same as what sudo uses. The location can be changed to be compatible with sudo so the same ticket can be used for su and sudo.

To enable pam_tty_tickets for su put the following into /etc/pam.conf (the module is in the pkg:/system/library package so it is always installed but not configured for use by default):

su      auth required           pam_unix_cred.so.1
su      auth sufficient         pam_tty_tickets.so.1
su      auth requisite          pam_authtok_get.so.1
su      auth required           pam_unix_auth.so.1

So what does it now look like:

braveheart:pts/3$ su -
Password: 
root@braveheart:~# id -a
uid=0(root) gid=0(root) groups=0(root),1(other),2(bin),3(sys),4(adm),5(uucp),6(mail),7(tty),8(lp),9(nuucp),12(daemon)
darrenm@braveheart:~# exit
braveheart:pts/3$ su -
root@braveheart:~# 

If you want to enable it in the desktop for gksu then you need to add a similar set of changes to /etc/pam.conf with the service name as "embedded_su" with the same modules as is  listed above.  The default timeout matches the sudo default of 5 minutes, the timeout= module option allows specifying a different timeout.

[ NOTE: The man page for pam_tty_tickets was mistakenly placed in section 1 for Solaris 11, it should have been in section 5. ]

Update for Solaris 11.1, now that we have /etc/pam.d/ support it is recommended that instead of updating /etc/pam.conf the following lines be placed into /etc/pam.d/su

auth sufficient	pam_tty_tickets.so.1
auth definitive	pam_user_policy.so.1
auth requisite	pam_authtok_get.so.1
auth required	pam_unix_auth.so.1
auth required	pam_unix_cred.so.1


Friday Jul 27, 2007

pam_radius_auth Sun Studio patch

The following is a small patch to the FreeRadius pam_radius_auth source to allow it to compile with the Sun Studio compiler and the Solaris linker.  It also changes the resulting module to use the MD5 functions from libmd rather than its own local copy.

--- pam_radius-1.3.17/Makefile  Mon Mar 26 05:22:11 2007
+++ pam_radius-1.3.17-djm/Makefile      Fri Jul 27 11:16:32 2007
@@ -15,7 +15,8 @@
 #
 #  If you're not using GCC, then you'll have to change the CFLAGS.
 #
-CFLAGS = -Wall -fPIC
+#CFLAGS = -Wall -fPIC
+CFLAGS = -KPIC
 #
 # On Irix, use this with MIPSPRo C Compiler, and don't forget to export CC=cc
 # gcc on Irix does not work yet for pam_radius
@@ -54,8 +55,9 @@
 #
 #      gcc -shared pam_radius_auth.o md5.o -lpam -lc -o pam_radius_auth.so
 #
-pam_radius_auth.so: pam_radius_auth.o md5.o
-       ld -Bshareable pam_radius_auth.o md5.o -lpam -o pam_radius_auth.so
+pam_radius_auth.so: pam_radius_auth.o
+#      ld -Bshareable pam_radius_auth.o md5.o -lpam -o pam_radius_auth.so
+       ld -G pam_radius_auth.o -lmd -lpam -o pam_radius_auth.so
 
 ######################################################################
 #

Note that with this patch you will still get warnings when compiling the pam_radius_auth.c file due to differences in the function prototypes for libpam functions such as pam_get_item().  The pam_radius_auth.c assumes that const void \* is used for some function arguments in libpam, on Solaris some of these are const char \*.  These warnings can be  ignored. 
 

About

DarrenMoffat

Search

Categories
Archives
« July 2014
MonTueWedThuFriSatSun
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
   
       
Today