Background:
In order to correctly attribute auditable actions to remote user,
PSARC/2005/009 remote user audit attribution was proposed.
Parts of PSARC/2005/009 have been implemented in S11.

Even though PSARC/2005/009 has a patch release binding, it has not
been exposed in any S10 releases.

From PSARC/2005/009:
Commands such as ssh -l <user>, rlogin -l <user>, rlogin -A -l <user>
do not correctly attribute audit to the initiating user.  In the past
this has more or less been ignored.  However, with the greater potential
use of roles, and a trustworthy way of sending the initiating user's
identity, it should now be corrected.  Various RFEs and Bugs:
6203206 "sshd should set PAM_RUSER for hostbased userauth for audited
logins to roles"
6213280 "Remote role assumption should be provided via ssh"
6213282 "pam_unix_cred should be able to attribute to remote user."
have been filed.  Trusted Solaris systems have transmitted the initiating
user's attributes through IP options.  

Problem:
6378304 PSARC/2005/009 is a security hole and must be ripped out
asserts that the implementation of remote audit attribution is
flawed because it uses PAM_RUSER and the rlogin/rsh protocol is
is easily spoofable.  While it was noted or, at least implied,
in PSARC/2005/009 that rlogin/rsh support would fall out of this,
it is perceived as an acceptable risk to sites which permit
rlogin/rsh.  It has since been strongly pointed out
that it would be better to add a more complex solution than
ship Solaris with an exploitable flaw.

Proposal:
Revised background:
| Commands such as ssh -l <user>, krlogin -l <user>, rlogin -A -l <user>
  do not correctly attribute audit to the initiating user.  In the past
  this has more or less been ignored.  However, with the greater potential
  use of roles, and a trustworthy way of sending the initiating user's
  identity, it should now be corrected.  Various RFEs and Bugs:
| 6203206 "sshd should set PAM_AUSER for hostbased userauth for audited
  logins to roles"
  6213280 "Remote role assumption should be provided via ssh"
  6213282 "pam_unix_cred should be able to attribute to remote user."
| have been filed.  Trusted Extensions systems have transmitted the initiating
  user's attributes through IP options.  

1) Change the current pam_unix_cred(5) implementation to no longer use
   PAM_RUSER for setting audit attribution.
2) Add a new PAM item to specify a trustworthily authenticated
   user, PAM_AUSER for audit attribution or other purposes, such
   as to define who is trying to assume a role.

Details:
pam_unix_cred(5):

DESCRIPTION

     pam_sm_setcred() initializes the user's  project,	privilege
     sets  and initializes or updates the user's audit context if
     it	hasn't already been initialized. The following flags  may
     be	set in the flags field:

     PAM_ESTABLISH_CRED

     PAM_REFRESH_CRED

     PAM_REINITIALIZE_CRED
	   Initializes the user's project to the  project  speci-
	   fied	in PAM_RESOURCE, or if PAM_RESOURCE is not speci-
	   fied, to the	user's default project.	 Establishes  the
	   user's privilege sets.

	   If the audit	context	is not	already	 initialized  and
	   auditing  is	configured, these flags	cause the context
	   to be initialized to	that of	 the  user  specified  in
|	   PAM_AUSER  (if  any)	merged with the	user specified in
	   PAM_USER and	host specified in PAM_RHOST. If	PAM_RHOST
	   is not specified, PAM_TTY specifies the local terminal
|	   name.  Attributing  audit  to  PAM_AUSER  and  merging
	   PAM_USER  is	required for correctly attributing audit-
|	   ing when the	system entry is done from another user the
|	   can be trustworthly identified.

	   If the  audit  context  is  already	initialized,  the
	   PAM_REINITIALIZE_CRED  flag	merges	the current audit
	   context with	that of	the user specified  in	PAM_USER.
	   PAM_REINITIALIZE_CRED  is useful when a user	is assum-
	   ing a new identity, as with su(1M).

     PAM_DELETE_CRED
	   This	 flag  has   no	  effect   and	 always	  returns
	   PAM_SUCCESS.

pam_set_item(3pam):

DESCRIPTION

     The pam_get_item()	and pam_set_item() functions allow appli-
     cations  and PAM service modules to access	and to update PAM
     information as needed.   The  information	is  specified  by
     item_type,	and can	be one of the following:

+    PAM_AUSER
+	   The authenticated user name.  Applications that are
+	   trusted to correctly identify the authenticated user
+	   should set this item to the authenticated user name.
+	   See NOTES and pam_unix_cred(5).

     PAM_RHOST
	   The remote host name.

     PAM_RUSER
|	   The rlogin/rsh untrusted remote user name.

     PAM_USER
	   The user name.

NOTES

+    PAM_AUSER is not intended as a replacement for PAM_USER.  It
+    is expected to be used to supplement PAM_USER when there is
+    an authenticated user from a source other than
+    pam_autenticate(3PAM).  Such sources could be sshd-hostbased
+    authentication, kerberized rlogin, su(1M).