+------------------------------------------------------------------------+ | Sun Microsystems Systems Architecture Committee | | Copyright 2005 Sun Microsystems, Inc. | |------------------------------------------------------------------------| | Subject |Per user Authentication Policy | |----------------+-------------------------------------------------------| | Submitted by |Nicolas Williams | |----------------+-------------------------------------------------------| | File |PSARC/2005/275/opinion.html | |----------------+-------------------------------------------------------| | Date |01/02/06 | |----------------+-------------------------------------------------------| | Committee |Darren Moffat, James D Carlson, Ed Gould, William | | |Sommerfeld, Gary Winiger | |----------------+-------------------------------------------------------| |Product Approval|Solaris PAC | | Committee | | +------------------------------------------------------------------------+ 1. Summary This case adds support for per-user PAM configuration, a highly desirable feature. No changes are needed to PAM applications or modules, nor does libpam become unnecessarily Unix-specific. The case introduces a PAM module, pam_user_policy(5), which evaluates a per-user PAM configuration by calling a new PAM function, pam_eval(); the PAM configuration to evaluate is named in a user_attr(4) or prof_attr(4) entry ('pam_policy') and/or in policy.conf(4). Administrative RBAC interfaces are modified to know about the new 'pam_policy' key for user_attr(4) and prof_attr(4). Various PAM configuration files for use with this facility are also provided. 2. Decision & Precedence Information The project is approved as specified in reference [1], but as modified by the required technical changes listed in Appendix A. The project may be delivered in a patch release of Solaris. 3. Interfaces +-----------------------------------------------------------------+ | Interfaces Exported | |-----------------------------------------------------------------| | Interface Name |Classification| Comment | |-------------------------------+--------------+------------------| | | |Defined by | |pam_eval(3PAM) |Stable |pam_eval(3PAM) | | | |manpage | |-------------------------------+--------------+------------------| | | |Defined by | |pam_user_policy(5) |Stable |pam_user_policy(5)| | | |manpage | |-------------------------------+--------------+------------------| | | |Defined by | |user_policy(5) |Stable |user_policy(5) | | | |manpage | |-------------------------------+--------------+------------------| | | |Defined by | |Config file names |Stable |user_policy(5) | | | |manpage | |-------------------------------+--------------+------------------| | | |Defined by | |Config file semantics |Stable |user_policy(5) | | | |manpage | |-------------------------------+--------------+------------------| |Config file contents |Not an | | | |Interface | | |-------------------------------+--------------+------------------| |smprofile(1m), smrole(1m), | |Defined by | |smuser(1m) |Stable |smprofile(5) | | | |manpage | |-K key=value | | | |-------------------------------+--------------+------------------| |user_attr/prof_attr/policy.conf| |Defined by | | |Stable |user_attr(5) | |pam_policy keyword | |manpage | +-----------------------------------------------------------------+ +----------------------------------------------------------------+ | Interfaces Imported | |----------------------------------------------------------------| | Interface Name |Classification| Comment | |----------------------------+--------------+--------------------| |None of note | | | +----------------------------------------------------------------+ 4. Opinion 4.1 RBAC Train Wreck During the inception review for this case a generic RBAC database and administrative problem was brought up the full details of which are contained in reference [2]. This case follows the advice listed in that reference by providing the key in all of user_attr(4), prof_attr(4) and policy.conf(4). The API part of this may be addressed by PSARC/2005/717 "Reno: Login Process Enhancements for Interop". 4.2 SMC Administrative interface This project is adding GUI components to the same place in the SMC administrative tool as the Rampart (Trusted Extensions) project. The project team is advised to synchronise delivery with LSARC/2006/007, there is no inter-project dependency introduced by this case. This case once again brought up the issue of what the future graphical administrative interface for core Solaris compoents is intended to be. We are presently shipping at least three frameworks, SMC, Lockhart and Webmin. This project changes only SMC since there is no user management content available via Lockhart at this time. Webmin does have user management but at present has no RBAC conent. 4.3 UIRB review The committee agreed that the changes to the administrative interfaces introduced by this project are sufficiently obvious that an addition review by UIRB was not necessary. 4.4 GUI Elements The committee had some discussion on the GUI changes for SMC. In particular it was felt that some feedback on the possibility on the existance of a policy was required. Some members requested a drop down list of the default policies that the system ships with, this led to TCA#1. There was also some discussion on the possibility of using a unique file extension for the policy files. The project team will investigate this and may use it to assist TCA#1 if it is implemented. No TCR or TCA was issued for this. The committee issued TCR#1 to issue a warning if the requested policy file was not present. Given the nature of how SMC works the policy file need not be available on the machine runing the SMC GUI since it may be administering a remote machine, which is why this is only a warning rather than an error. The local files only admin tools usermod(1m) et al are expected to make the same check. 5. Minority Opinion(s) None. 6. Advisory Information 6.1 RBAC Databases The relevant budget holders are advised to fund a project to fully resolve the API and database problems with the RBAC databases as detailed in http://sac.sfbay/PSARC/2005/275/commitment.materials/RBACTrainWreck. 6.2 Trusted Extensions As in 4.2 the project team is advised to be aware of LSARC/2006/007. Appendices Appendix A: Technical Changes Required * Display a warning if the requested policy file does not exist on the host running SMC. * The UNIX policy must serve as a fallback when there is no entry for the user in user_attr(4), prof_attr(4) or a system wide policy specified in policy.conf(4). Appendix B: Technical Changes Advised * Allow the user to choose from a drop down list of the default policies shipped with the system. Appendix C: Reference Material Unless otherwise stated, path names are relative to the case directory (PSARC/2005/275). 1. [commitment.materials/specification]Specification 2. [commitment.materials/RBACTrainWreck] RBAC Database/API problem 3. [commitment.materials/pam_eval.3pam] Man page 4. [commitment.materials/pam_user_policy.5] Man page 5. [commitment.materials/prof_attr.4] Man page 6. [commitment.materials/roleadd.1m] Man page 7. [commitment.materials/rolemod.1m] Man page 8. [commitment.materials/smc.1m] Man page 9. [commitment.materials/smprofile.1m] Man page 10. [commitment.materials/smrole.1m] Man page 11. [commitment.materials/user_attr.4] Man page 12. [commitment.materials/user_policy.4] Man page 13. [commitment.materials/useradd.1m] Man page 14. [commitment.materials/usermod.1m] Man page