pam_roles - Role Account Management PAM module for Solaris




     The   Role    Account    Management    module    for    PAM,
     /usr/lib/security/, provides functionality for
     one PAM module: Account management. The is  a
     shared  object that can be dynamically loaded to provide the
     necessary functionality upon demand. Its path  is  specified
     in the PAM configuration file.

  Role Account Management Module
     The Role account management component provides a function to
     check for authorization to assume a role. It prevents direct
     logins to a role.  It  uses  the  user_attr(4)  database  to
     specify which users can assume which roles.

     The following options may be passed to the Role  Authentica-
     tion service module:

          debug syslog(3C)  debugging  information  at  LOG_DEBUG

     If PAM_USER (see pam_set_item(3PAM)) is  specified  as  type
     normal  in  the  user_attr(4)  database,  the module returns

     If PAM_RUSER (see pam_set_item(3PAM)) is not set, the uid of
     the   process  loading  the  module  is  used  to  determine

     The module returns success if  the  user_attr(4)  entry  for
     PAM_RUSER has an entry in the roles field for PAM_USER; oth-
     erwise it returns PAM_PERM_DENIED.

     This module is generally stacked above the  account  manage-
     ment  module  The  error messages indicating
     that roles cannot be logged into correctly are  only  issued
     if the user has entered the correct password.

     Here are some sample entries from pam.conf(4)  demonstrating
     the use of the module:

     dtlogin account requisite /usr/lib/security/$ISA/
     dtlogin account required /usr/lib/security/$ISA/
     su account requisite /usr/lib/security/$ISA/
     su account requisite /usr/lib/security/$ISA/
     rlogin account requisite /usr/lib/security/$ISA/
     rlogin account required /usr/lib/security/$ISA/

     The dtlogin program invokes PAM_RUSER is the
     username  corresponding  to  the uid of the dtlogin process,
     which is 0. The user_attr entry for root  user  (uid  0)  is
     empty, so all role logins are prevented through dtlogin. The
     same rule applies to login.

     The su program  invokes  PAM_RUSER  is  the
     username  of the userid of the shell that invokes su. A user
     needs  the  appropriate  entry  in   the   roles   list   in
     user_attr(4) to be able to su to another user.

     In  the  example  above,  the  rlogin  program  invokes  the  module.  The module checks for PAM_RUSER and
     determines whether the role being assumed, PAM_RUSER, is  in
     the roles list of the userattr entry for PAM_RUSER. If it is
     in the roles list, the module returns PAM_SUCCESS; otherwise
     it returns PAM_PERM_DENIED.


     keylogin(1), libpam(3LIB),  pam(3PAM),  pam_acct_mgmt(3PAM),
     pam_setcred(3PAM),      pam_set_item(3PAM),      syslog(3C),
     pam.conf(4),          user_attr(4),           attributes(5),
     pam_authtok_check(5),                    pam_authtok_get(5),
     pam_authtok_store(5),   pam_dhkeys(5),   pam_passwd_auth(5),
     pam_unix(5),      pam_unix_account(5),     pam_unix_auth(5),


     The interfaces in libpam(3LIB)  are  MT-Safe  only  if  each
     thread  within  the  multi-threaded application uses its own
     PAM handle.

     The pam_unix(5) module might not be supported  in  a  future
     release.    Similar    functionality    is    provided    by
     pam_authtok_check(5),                    pam_authtok_get(5),
     pam_authtok_store(5),   pam_dhkeys(5),   pam_passwd_auth(5),
     pam_unix_account(5),          pam_unix_auth(5),          and

Man(1) output converted with man2html