17c478bd9Sstevel@tonic-gate# 27c478bd9Sstevel@tonic-gate# CDDL HEADER START 37c478bd9Sstevel@tonic-gate# 47c478bd9Sstevel@tonic-gate# The contents of this file are subject to the terms of the 5dcd4d592Smp153739# Common Development and Distribution License (the "License"). 6dcd4d592Smp153739# You may not use this file except in compliance with the License. 77c478bd9Sstevel@tonic-gate# 87c478bd9Sstevel@tonic-gate# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 97c478bd9Sstevel@tonic-gate# or http://www.opensolaris.org/os/licensing. 107c478bd9Sstevel@tonic-gate# See the License for the specific language governing permissions 117c478bd9Sstevel@tonic-gate# and limitations under the License. 127c478bd9Sstevel@tonic-gate# 137c478bd9Sstevel@tonic-gate# When distributing Covered Code, include this CDDL HEADER in each 147c478bd9Sstevel@tonic-gate# file and include the License file at usr/src/OPENSOLARIS.LICENSE. 157c478bd9Sstevel@tonic-gate# If applicable, add the following below this CDDL HEADER, with the 167c478bd9Sstevel@tonic-gate# fields enclosed by brackets "[]" replaced with your own identifying 177c478bd9Sstevel@tonic-gate# information: Portions Copyright [yyyy] [name of copyright owner] 187c478bd9Sstevel@tonic-gate# 197c478bd9Sstevel@tonic-gate# CDDL HEADER END 207c478bd9Sstevel@tonic-gate# 217c478bd9Sstevel@tonic-gate# 22*ead1f93eSLiane Praza# Copyright 2010 Sun Microsystems, Inc. All rights reserved. 237c478bd9Sstevel@tonic-gate# Use is subject to license terms. 247c478bd9Sstevel@tonic-gate# 257c478bd9Sstevel@tonic-gate# PAM configuration 267c478bd9Sstevel@tonic-gate# 277c478bd9Sstevel@tonic-gate# Unless explicitly defined, all services use the modules 287c478bd9Sstevel@tonic-gate# defined in the "other" section. 297c478bd9Sstevel@tonic-gate# 307c478bd9Sstevel@tonic-gate# Modules are defined with relative pathnames, i.e., they are 317c478bd9Sstevel@tonic-gate# relative to /usr/lib/security/$ISA. Absolute path names, as 327c478bd9Sstevel@tonic-gate# present in this file in previous releases are still acceptable. 337c478bd9Sstevel@tonic-gate# 347c478bd9Sstevel@tonic-gate# Authentication management 357c478bd9Sstevel@tonic-gate# 367c478bd9Sstevel@tonic-gate# login service (explicit because of pam_dial_auth) 377c478bd9Sstevel@tonic-gate# 387c478bd9Sstevel@tonic-gatelogin auth requisite pam_authtok_get.so.1 397c478bd9Sstevel@tonic-gatelogin auth required pam_dhkeys.so.1 407c478bd9Sstevel@tonic-gatelogin auth required pam_unix_cred.so.1 417c478bd9Sstevel@tonic-gatelogin auth required pam_unix_auth.so.1 427c478bd9Sstevel@tonic-gatelogin auth required pam_dial_auth.so.1 437c478bd9Sstevel@tonic-gate# 447c478bd9Sstevel@tonic-gate# rlogin service (explicit because of pam_rhost_auth) 457c478bd9Sstevel@tonic-gate# 467c478bd9Sstevel@tonic-gaterlogin auth sufficient pam_rhosts_auth.so.1 477c478bd9Sstevel@tonic-gaterlogin auth requisite pam_authtok_get.so.1 487c478bd9Sstevel@tonic-gaterlogin auth required pam_dhkeys.so.1 497c478bd9Sstevel@tonic-gaterlogin auth required pam_unix_cred.so.1 507c478bd9Sstevel@tonic-gaterlogin auth required pam_unix_auth.so.1 517c478bd9Sstevel@tonic-gate# 527c478bd9Sstevel@tonic-gate# Kerberized rlogin service 537c478bd9Sstevel@tonic-gate# 547c478bd9Sstevel@tonic-gatekrlogin auth required pam_unix_cred.so.1 55dcd4d592Smp153739krlogin auth required pam_krb5.so.1 567c478bd9Sstevel@tonic-gate# 577c478bd9Sstevel@tonic-gate# rsh service (explicit because of pam_rhost_auth, 587c478bd9Sstevel@tonic-gate# and pam_unix_auth for meaningful pam_setcred) 597c478bd9Sstevel@tonic-gate# 607c478bd9Sstevel@tonic-gatersh auth sufficient pam_rhosts_auth.so.1 617c478bd9Sstevel@tonic-gatersh auth required pam_unix_cred.so.1 627c478bd9Sstevel@tonic-gate# 637c478bd9Sstevel@tonic-gate# Kerberized rsh service 647c478bd9Sstevel@tonic-gate# 657c478bd9Sstevel@tonic-gatekrsh auth required pam_unix_cred.so.1 66dcd4d592Smp153739krsh auth required pam_krb5.so.1 677c478bd9Sstevel@tonic-gate# 687c478bd9Sstevel@tonic-gate# Kerberized telnet service 697c478bd9Sstevel@tonic-gate# 707c478bd9Sstevel@tonic-gatektelnet auth required pam_unix_cred.so.1 71dcd4d592Smp153739ktelnet auth required pam_krb5.so.1 727c478bd9Sstevel@tonic-gate# 737c478bd9Sstevel@tonic-gate# PPP service (explicit because of pam_dial_auth) 747c478bd9Sstevel@tonic-gate# 757c478bd9Sstevel@tonic-gateppp auth requisite pam_authtok_get.so.1 767c478bd9Sstevel@tonic-gateppp auth required pam_dhkeys.so.1 777c478bd9Sstevel@tonic-gateppp auth required pam_unix_cred.so.1 787c478bd9Sstevel@tonic-gateppp auth required pam_unix_auth.so.1 797c478bd9Sstevel@tonic-gateppp auth required pam_dial_auth.so.1 807c478bd9Sstevel@tonic-gate# 81*ead1f93eSLiane Praza# GDM Autologin (explicit because of pam_allow). These need to be 82*ead1f93eSLiane Praza# here as there is no mechanism for packages to amend pam.conf as 83*ead1f93eSLiane Praza# they are installed. 84*ead1f93eSLiane Praza# 85*ead1f93eSLiane Prazagdm-autologin auth required pam_unix_cred.so.1 86*ead1f93eSLiane Prazagdm-autologin auth sufficient pam_allow.so.1 87*ead1f93eSLiane Praza# 887c478bd9Sstevel@tonic-gate# Default definitions for Authentication management 897c478bd9Sstevel@tonic-gate# Used when service name is not explicitly mentioned for authentication 907c478bd9Sstevel@tonic-gate# 917c478bd9Sstevel@tonic-gateother auth requisite pam_authtok_get.so.1 927c478bd9Sstevel@tonic-gateother auth required pam_dhkeys.so.1 937c478bd9Sstevel@tonic-gateother auth required pam_unix_cred.so.1 947c478bd9Sstevel@tonic-gateother auth required pam_unix_auth.so.1 957c478bd9Sstevel@tonic-gate# 967c478bd9Sstevel@tonic-gate# passwd command (explicit because of a different authentication module) 977c478bd9Sstevel@tonic-gate# 987c478bd9Sstevel@tonic-gatepasswd auth required pam_passwd_auth.so.1 997c478bd9Sstevel@tonic-gate# 1007c478bd9Sstevel@tonic-gate# cron service (explicit because of non-usage of pam_roles.so.1) 1017c478bd9Sstevel@tonic-gate# 1027c478bd9Sstevel@tonic-gatecron account required pam_unix_account.so.1 1037c478bd9Sstevel@tonic-gate# 10488c462eeSNorm Jacobs# cups service (explicit because of non-usage of pam_roles.so.1) 10588c462eeSNorm Jacobs# 10688c462eeSNorm Jacobscups account required pam_unix_account.so.1 107f875b4ebSrica# 108*ead1f93eSLiane Praza# GDM Autologin (explicit because of pam_allow) This needs to be here 109*ead1f93eSLiane Praza# as there is no mechanism for packages to amend pam.conf as they are 110*ead1f93eSLiane Praza# installed. 111*ead1f93eSLiane Praza# 112*ead1f93eSLiane Prazagdm-autologin account sufficient pam_allow.so.1 113*ead1f93eSLiane Praza# 1147c478bd9Sstevel@tonic-gate# Default definition for Account management 1157c478bd9Sstevel@tonic-gate# Used when service name is not explicitly mentioned for account management 1167c478bd9Sstevel@tonic-gate# 1177c478bd9Sstevel@tonic-gateother account requisite pam_roles.so.1 1187c478bd9Sstevel@tonic-gateother account required pam_unix_account.so.1 1197c478bd9Sstevel@tonic-gate# 1207c478bd9Sstevel@tonic-gate# Default definition for Session management 1217c478bd9Sstevel@tonic-gate# Used when service name is not explicitly mentioned for session management 1227c478bd9Sstevel@tonic-gate# 1237c478bd9Sstevel@tonic-gateother session required pam_unix_session.so.1 1247c478bd9Sstevel@tonic-gate# 1257c478bd9Sstevel@tonic-gate# Default definition for Password management 1267c478bd9Sstevel@tonic-gate# Used when service name is not explicitly mentioned for password management 1277c478bd9Sstevel@tonic-gate# 1287c478bd9Sstevel@tonic-gateother password required pam_dhkeys.so.1 1297c478bd9Sstevel@tonic-gateother password requisite pam_authtok_get.so.1 1307c478bd9Sstevel@tonic-gateother password requisite pam_authtok_check.so.1 1317c478bd9Sstevel@tonic-gateother password required pam_authtok_store.so.1 1327c478bd9Sstevel@tonic-gate# 1337c478bd9Sstevel@tonic-gate# Support for Kerberos V5 authentication and example configurations can 1347c478bd9Sstevel@tonic-gate# be found in the pam_krb5(5) man page under the "EXAMPLES" section. 1357c478bd9Sstevel@tonic-gate# 136