svcadm(1M)을 검색하려면 섹션에서 1M 을 선택하고, 맨 페이지 이름에 svcadm을 입력하고 검색을 누른다.
pam_user_policy(7)
Standards, Environments, Macros, Character Sets, and miscellany
pam_user_policy(7)
NAME
pam_user_policy - PAM user authentication policy module
SYNOPSIS
pam_user_policy.so.1
DESCRIPTION
The pam_user_policy module causes a user-specific PAM configuration to
be evaluated and returns the result of evaluating such a configuration.
The pam_user_policy module implements all PAM service module functions.
The PAM configuration to evaluate is determined by looking for a
pam_policy key in a user's attributes (see user_attr(5)) or any rights
profiles assigned to the user in user_attr or in a default rights pro‐
file granted in policy.conf(5), and then finally for any value assigned
to PAM_POLICY in policy.conf. If no pam_policy key is found for the
user, the pam_user_policy module returns PAM_IGNORE.
Failure to obtain a user name is considered an error (see below).
This module should generally be stacked as the first module, possibly
as the only module, in a PAM service configuration using a control_flag
value of 'definitive'. A control_flag value of 'sufficient' or 'bind‐
ing' may also work, depending on the PAM service and the contents of
the user-specific PAM configuration.
The pathname to the user-specific PAM configuration file passed to
pam_eval(3PAM) must be absolute so pam_user_policy prepends "/etc/secu‐
rity/pam_policy" to any non-absolute PAM configuration pathnames. The
user-specific PAM configuration file has the same format as pam.conf
and must include the service name field just as /etc/pam.conf. For more
information, see the pam.conf(5) man page.
The following option can be passed to the module:
debug syslog(3C) debugging information at the LOG_DEBUG level
Authentication Module
The pam_get_user(3PAM) function is used to retrieve the current user
name and sets this to be the value of PAM_USER if PAM_USER was not
already set. If no user name can be obtained, PAM_IGNORE is returned.
If assuming a role which has been configured with the roleauth=user
attribute in the user_attr() function then the authenticated user name
specified in PAM_AUSER, if set, is treated as the current user name.
For more information, see the user_attr(5) man page.
The pam_user_policy authentication module then looks up the name of a
PAM configuration file to use for that user as described above and
evaluates the named configuration by calling pam_eval() with the same
flags as were passed to the pam_user_policy authentication module.
The configuration file name found is saved as module data (see
pam_set_data(3PAM) for use by other pam_user_policy modules.
Other Modules
If the PAM_USER item is not set to a non-empty string then
pam_user_policy returns PAM_IGNORE immediately. If a PAM configuration
file name was saved as module data by a previous call to a
pam_user_policy module, then that configuration will be used; otherwise
a PAM configuration will be looked up as described above. The service
module then evaluates the named configuration by calling pam_eval()
with the same flags as were passed to the service module.
The configuration file name found is saved as module data (see
pam_set_data(3PAM)) for use by other pam_user_policy modules.
RETURN VALUES
If PAM_USER is not set or cannot be obtained, the module's service
functions return PAM_IGNORE. If a pam_policy configuration file has
been specified for a user and the corresponding file name does not
exist, PAM_SYSTEM_ERR is returned. If an invalid path to a configura‐
tion file is specified, for example a missing pam_policy attribute
value or a relative path containing a slash /, PAM_IGNORE is returned.
If module-specific data cannot be stored, PAM_SERVICE_ERR is returned.
Failure to allocate resources causes the module to return PAM_BUF_ERR.
Otherwise the value returned by pam_eval() is returned.
FILES
A number of pam.conf files for inclusion by pam_user_policy can be
found in /etc/security/pam_policy:
unix Use only UNIX passwords for authentication, account
management, and password management.
krb5_only Use Kerberos V5 only for authentication, account man‐
agement, and password management.
krb5_first Use Kerberos V5 for authentication with fallback on
UNIX authentication, use Kerberos V5 for account man‐
agement and password management for Kerberos users and
UNIX for account management and password management
for UNIX users.
krb5_optional Use UNIX for authentication, account management, and
password management and then optionally using Kerberos
V5 for authentication, account management and password
management for Kerberos users.
ldap Use pam_ldap(7) for authentication, account manage‐
ment, and password management for LDAP users and UNIX
for authentication, account management, and password
management for UNIX users.
any Try Kerberos V, LDAP and UNIX, in that order, and as
sufficient, for authentication, account management,
and password management.
krb5_keytab Use pam_krb5_keytab for PAM authentication with Ker‐
beros through keytab and optionally, authentication
through pam_gss_s4u for Services For Users (S4U). For
more information, see the pam_gss_s4u(7) man page.
gss_s4u Use pam_krb5_keytab for PAM authentication with Ker‐
beros through keytab and optionally, authentication
through pam_gss_s4u for Services For Users (S4U). For
more information, see the pam_gss_s4u(7) man page.
EXAMPLES
Example 1 Authenticate a user with Kerberos V5 for all PAM services.
In the following example, user 'larry' should only be authenticated
with Kerberos V5 for all PAM services.
$ usermod -K pam_policy=krb5_only larry
Example 2 Use the PAM configuration /etc/security/pam_policy/custom for
a user.
In the following example, the PAM configuration /etc/security/pam_pol‐
icy/custom should be used for user 'curly'. This custom PAM configura‐
tion might have different configurations for different PAM services,
such as requiring UNIX authentication for console logins but Kerberos
V5 for all other PAM services.
$ usermod -K pam_policy=custom curly
Example 3 Create a new profile.
The following example creates a new profile named "PAM Per-User Policy
of LDAP" and assign it to user 'moe' indicating that pam_ldap(7) should
be used for all PAM services. Alternatively the profile could be
assigned to all users by adding it to PROFS_GRANTED in policy.conf(5).
$ profiles -p "PAM Per-User Policy of LDAP" \
'set desc="Profile which sets pam_policy=ldap";
set pam_policy=ldap; exit;'
$ usermod -P "PAM Per-User Policy of LDAP" moe
Example 4 Add a new user.
The following example adds a new user named 'shemp' who uses the PAM
configuration /usr/local/etc/pam.conf for all PAM services.
$ useradd -K pam_policy=/usr/local/etc/pam.conf shemp
ATTRIBUTES
See attributes(7) for descriptions of the following attributes:
tab() box; cw(2.75i) |cw(2.75i) lw(2.75i) |lw(2.75i) ATTRIBUTE TYPEAT‐
TRIBUTE VALUE _ Interface StabilityCommitted _ MT-LevelMT-Safe with
exceptions
SEE ALSO
syslog(3C), libpam(3LIB), pam(3PAM), pam_eval(3PAM),
pam_get_user(3PAM), pam_set_data(3PAM), pam.conf(5), policy.conf(5),
prof_attr(5), user_attr(5), attributes(7), pam_ldap(7)
NOTES
The interfaces in libpam(3LIB) are MT-Safe only if each thread within
the multithreaded application uses its own PAM handle.
Oracle Solaris 11.4 11 May 2021 pam_user_policy(7)