 |
 |
 |
 |
 |
 |
 |
Specialized PAM modules
PAM is used by several Unix like operating systems in controlling user authorization and authentication. The current set of PAM modules that CITES SMG group uses is:
- pam_authsrv - Two Factor SNK authentication.
- pam_per_user - Per User PAM authentication mappings.
- pam_pseudo - Shared account password mapping.
- AIX 4.3.3, 5.1
- FreeBSD 4, 5, 6
- RedHat Linux EL 4
- Solaris 8, 9, 10 (both Sparc and x86).
pam_authsrv
This allows us to do two factor authentication with the Digital Pathways SNK-004 device (long time EOL'ed). To install this module, pam.conf is configured like this (Solaris):authsrv auth required /usr/local/lib/security/pam_authsrv.so.1 unknown_user=fail ... sshd auth required /usr/local/lib/security/pam_authsrv.so.1
The first entry will be used later in the pam_per_user configuration and the second one forces us to use SNK authentication when ssh'ing into the system.
There are other files that needs to be configured. The first one is /etc/netperm-table, which lists the authserv hosts to contact.
*: authserver 10.0.0.1 7777 *: authserver 10.0.0.2 7777
The first and second entries are always *: and authserver. For a full description of what they really mean, see the netperm-table(5) man page after the fwtk package has been installed. The third entry is the IP address of the authserv servers and the last entry is what port to use to contact them. 7777 is the default port number.
The second file is /etc/pam_tis.map. This file maps the local account name to the account name in the authsrv service, like this:
susmith : smith # John Smith
Where susmith is the account on the local system and smith is the account to use when contacting the authserv server.
pam_per_user
This allows PAM to use different authentication methods depending on what account is being used. It is mainly used for the su command and pam.conf is configured like so:# PAM configuration for su su auth required /usr/local/lib/security/pam_per_user.so.1 /etc/pam_su.map
The /etc/pam_su.map file then has a configuration like this:
* : other root : @FAIL susmith : authsrv service : pseudo
The file defines the default user to use the other pam configuration service, whereas root should fail (in this case we want users to su to the su* account not to root directly). The susmith entry tells pam to use the authsrv entry, as we defined above, and the service account is to use the pseudo entry, which is defined below.
pam_pseudo
This module allows us to have shared accounts with out having shared passwords. The password that is used is the password of the account you are su'ing from. The pam.conf configuration looks like this:
# PAM configuration for pseudo pseudo auth required /usr/local/lib/security/pam_pseudo.so.1
Again, we have another configuration file /etc/pam_pseudo.map
service1 : smith service2 : smith jones armstrong white
This is a setup where smith can su to either service1 or service2, but jones armstrong and white can only su to service2. When each of them su to service2, it will ask them for their own password to allow access.
The PAM modules are currently packaged in the following formats:
- Source Code
- Encap
- Solaris SVR4
- pam_authsrv (Sparc).
- pam_authsrv (x86).
- pam_per_user (Sparc).
- pam_per_user (x86).
- pam_pseudo (Sparc).
- pam_pseudo (x86).
- RPMs
- FreeBSD Packages
This package is provided on an as-is basis and is not officially supported by CITES. Comments/questions about this package can be sent to cites-smg@uiuc.edu.
CITES welcomes comments about our services and comments about our web site.