Oracle Solaris 11.1 PAM Lab

Table of Contents

Exercise S.1: Per-service PAM Files
Exercise S.2: Creating $HOME with PAM
Exercise S.3: Creating Encrypted $HOME
Exercise S.4: User Authentication of Roles
Exercise S.5: Caching Role Authentication

Introduction

This set of exercises is designed to briefly demonstrate some aspects of the PAM policy in Oracle Solaris:

  • PAM Service Files
  • Creating Encrypted Home Directories
  • Per-User PAM Polices
  • PAM stands for Pluggable Authentication Modules. It is an extensible framework for authentication, role assumption, credential management and session management.

    The exercises are just introductions - you are referred to the Oracle Solaris Administration: PAM Configuration for further information. In addition, the following man pages will be useful: pam_user_policy(5), pam_tty_tickets(5), and How to Enable a User to Use Own Password to Assume a Role.

    Passwords: User:lab Password:l1admin
    Role:root Password:l1admin
    Some of the exercises require the root role.

    Exercise S.1: Per-service PAM Files

    Task: Become familiar with per-service PAM policy files.

    Lab: Examine the contents of the /etc/pam.d directory.

    oow@solaris:~$ cat /etc/pam.conf
    # PAM configuration
    #
    # This file is now delivered with no entries.  The preferred mechanism
    # for PAM configuration is now using per-service files in /etc/pam.d.
    # Any modifications to this file will be preserved on system update and
    # will be referenced before the per-service files in /etc/pam.d.
    #
    # The libpam(3LIB) library searches for PAM entries in the following order:
    #
    #       /etc/pam.conf for  entries
    #       /etc/pam.d/
    #       /etc/pam.conf for "other" entries
    #       /etc/pam.d/other
    #
    # See pam.conf(4) for more details.
    ...
    
    
    oow@solaris:~$ ls /etc/pam.d
    cron            gdm             other           ppp
    cups            gdm-autologin   other.orig      tsoljds-stripe
    dtpasswd        login           passwd          xscreensaver
    

    Each of these files corresponds to a specific PAM service name. Note that the name of the service is implicit in each record.

    Back to top

    Exercise S.2: Creating $HOME with PAM

    Task:Use the useradd command to create a new user.

    Lab:In this exercise, you will use the useradd command to create a default user foo, whose home directory is NOT specified using useradd -md /export/home/foo.

    oow@solaris:~$ useradd foo
    

    The User Security rights profile is explicitly assigned to oow. Normally this would require assuming the root role.

    oow@solaris:~# passwd foo
    New Password: 
    Re-enter new Password:
    passwd: password successfully changed for foo
    

    Now use su to switch to foo. Since there is no explicit PAM service file for su, the other file is used. This file was modified for this lab. Use the diff command to see how it what changed:

    oow@solaris:~$ cd /etc/pam.d
    oow@solaris:~$ diff other.orig other
    67a68,72
    > # Add pam_zfs_key to auto-create an encrypted home directory
    > #
    > auth required		pam_zfs_key.so.1 create encryption=off
    > 
    > #
    oow@solaris:~$ su - foo
    su - foo
    Password: 
    Creating home directory with encryption=off.
    Your login password will be used as the wrapping key.
    Oracle Corporation	SunOS 5.11	11.1	August 2012
    
    oow@solaris:~$id
    uid=102(foo) gid=10(staff)
    
    -bash-4.1$ exit
    logout
    

    Notice that the home directory is still mounted.

    oow@solaris:~$mount -p|grep ~foo
    rpool/export/home/foo - /export/home/foo zfs - no rw,devices,setuid,nonbmand,exec,rstchown,xattr,atime
    

    Delete the user and verify that the home directory is deleted.

    oow@solaris:~$userdel -r foo
    oow@solaris:~$zfs list|grep foo
    

    Back to top

    Exercise S.3: Creating Encrypted $HOME

    Task: Learn how some PAM policies can be qualified to apply to specific users.

    .

    Lab: Create a user whose PAM policy specifies that the home directory is automatically encrypted.

    Custom PAM policies can assigned using the pam_policy keyword via useradd. By convention these custom files are maintained in /etc/security/pam_policy. A customized file, unix-encrypt was created for this lab. It is a slightly modified version of the existing unix file in the same directory. Use diff to compare them.

    oow@solaris:~$ cd /etc/security/pam_policy
    oow@solaris:~$ diff unix unix-encrypt
    67a68,72
    > # Add pam_zfs_key to auto-create an encrypted home directory
    > #
    > other	auth required		pam_zfs_key.so.1 create
    > 
    > #
    

    Now recreate the foo user, specifying this PAM policy.

    oow@solaris:~$ useradd -K pam_policy=unix-encrypt foo
    

    The User Security rights profile is explicitly assigned to oow. Normally this would require assuming the root role.

    oow@solaris:~# passwd foo
    New Password: 
    Re-enter new Password:
    passwd: password successfully changed for foo
    
    oow@solaris:~$ su - foo
    su - foo
    Password: 
    Creating home directory with encryption=on.
    Your login password will be used as the wrapping key.
    Oracle Corporation	SunOS 5.11	11.1	August 2012
    
    oow@solaris:~$id
    uid=102(foo) gid=10(staff)
    
    -bash-4.1$ exit
    logout
    

    Verify that the new home directory is an encrypted filesystem.

    oow@solaris:~$mount -p|grep ~foo
    rpool/export/home/foo - /export/home/foo zfs - no rw,devices,setuid,nonbmand,exec,rstchown,xattr,atime
    oow@solaris:~$zfs get encryption,keysource rpool/export/home/foo
    NAME                   PROPERTY    VALUE              SOURCE
    rpool/export/home/foo  encryption  on                 local
    rpool/export/home/foo  keysource   passphrase,prompt  local
    

    Back to top

    Exercise S.4: User Authentication of Roles

    Task: This exercise demonstrates how to customize the authentication policy for a role. .

    Lab: By default, role assumption is done via su using the role's password. Alternatively, the authentication policy can be changed to require the user's password.

    oow@solaris:~$rolemod -K roleauth=user root
    oow@solaris:~$userattr roleauth root
    user
    

    Verify that the root role can now be assumed using oow password.

    Back to top

    Exercise S.5: Caching Role Authentication

    Task:

    This exercise demonstrates how to use pam_policy to enable credential caching for role assumption.

    Lab: Apply a customized PAM policy file to the root role so that credentials of users who assume the root role can be cached for a few minutes.

    The authentication credential used for assuming the root role can be cached. The PAM module pam_tty_tickets performs this function. Use a customized version of the unix policy file which includes this module.

    .
    oow@solaris:~$cd /etc/security/pam_policy
    oow@solaris:~$ diff unix unix-cache
    62a63,68
    > other	auth required		pam_unix_cred.so.1
    > #
    > # Included pam_tty_tickets so that authentication token is cached
    > # using a 4 minute timeout
    > #
    > other	auth sufficient		pam_tty_tickets.so.1 timeout=4
    66d71
    < other	auth required		pam_unix_cred.so.1
    

    Note that the cache timeout can be set explicitly. The default value is 5 minutes.

    Now assign the policy file to the root role.

    oow@solaris:~$rolemod -K pam_policy=unix-cache root
    oow@solaris:~$userattr pam_policy root
    unix-cache
    

    Verify that caching works by assuming the root role, exiting the role, and then assuming it again.

    Back to top

    That concludes this lab session.