Standards, Environments, and Macros pamroles(5)
NAME
pamroles - Solaris Roles account management module
SYNOPSIS
pamroles.so.1
DESCRIPTION
The pamroles module implements pamsmacctmgmt(3PAM). It
provides functionality to verify that a user is authorized
to assume a role. It also prevents direct logins to a role.
The userattr(4) database is used to determine which users
can assume which roles.
The PAM items PAMUSER and PAMAUSER, and PAMRHOST are used
to determine the outcome of this module. PAMUSER represents
the new identity being verified. PAMAUSER, if set,
represents the user asserting a new identity. If PAMAUSER
is not set, the real user ID of the calling service implies
that the user is asserting a new identity. Notice that root
can never have roles.
This module is generally stacked above the
pamunixaccount(5) module.
The following options are interpreted:
allowremote Allows a remote service to specify the user
to enter as a role.
debug Provides syslog(3C) debugging information at
the LOGDEBUG level.
ERORS
The following values are returned:
PAMIGNORE If the type of the new user identity
(PAMUSER) is "normal". Or, if the type
of the new user identity is "role" and
the user asserting the new identity
(PAMAUSER) has the new identity name in
its list of roles.
PAMUSERUNKNOWN No account is present for user.
SunOS 5.11 Last change: 6 Mar 2007 1
Standards, Environments, and Macros pamroles(5)
PAMPERMDENIED If the type of the new user identity
(PAMUSER) is "role" and the user
asserting the new identity (PAMAUSER)
does not have the new identity name in
its list of roles.
EXAMPLES
Example 1 Using the pamroles.so.1 Module
The following are sample entries from pam.conf(4). These
entries demonstrate the use of the pamroles.so.1 module:
cron account required pamunixaccount.so.1
#
other account requisite pamroles.so.1
other account required pamunixaccount.so.1
#
The cron service does not invoke pamroles.so.1. Delayed
jobs are independent of role assumption. All other services
verify that roles cannot directly login. The "su" service
(covered by the "other" service entry) verifies that if the
new user is a role, the calling user is authorized for that
role.
Example 2 Allowing Remote Roles
Remote roles should only be allowed from remote services
that can be trusted to provide an accurate PAMAUSERname.
This trust is a function of the protocol (such as sshd-
hostbased).
The following is a sample entry for a pam.conf(4) file. It
demonstrates the use of pamroles configuration for remote
roles for the sshd-hostbased service.
sshd-hostbased account requisite pamroles.so.1 allowremote
sshd-hostbased account required pamunixaccount
SunOS 5.11 Last change: 6 Mar 2007 2
Standards, Environments, and Macros pamroles(5)
ATRIBUTES
See attributes(5) for descriptions of the following attri-
butes:
ATRIBUTE TYPE ATRIBUTE VALUE
Interface Stability Evolving
MT Level MT-Safe with exceptions
SEE ALSO
roles(1), sshd(1M), su(1M), libpam(3LIB), pam(3PAM),
pamacctmgmt(3PAM), pamsetcred(3PAM), pamsetitem(3PAM),
pamsmacctmgmt(3PAM), syslog(3C), pam.conf(4),
userattr(4), attributes(5), pamauthtokcheck(5),
pamauthtokget(5), pamauthtokstore(5), pamdhkeys(5),
pampasswdauth(5), pamunixaccount(5), pamunixauth(5),
pamunixsession(5)
NOTES
The interfaces in libpam(3LIB) are MT-Safe only if each
thread within the multi-threaded application uses its own
PAM handle.
This module should never be stacked alone. It never returns
PAMSUCES, as it never makes a positive decision.
The allowremote option should only be specified for ser-
vices that are trusted to correctly identify the remote user
(that is, sshd-hostbased).
PAMAUSER has replaced PAMRUSER whose definition is limited
to the rlogin/rsh untrusted remote user name. See
pamsetitem(3PAM).
SunOS 5.11 Last change: 6 Mar 2007 3
|
