Subject: PSARC FastTrack [05/04/2005]: Per user Authentication Policy I'm sponsoring this case for the PAM per user project team. The team is: Nicolas Williams, Darren Moffat, Gary Winiger. This case depends on PSARC 2005/217 only to simplify the implementation of the delivered configurations, it is not architecturally dependent on PSARC/2005/217 and thus may deliver before it if it does not use the include derective in the implementation of the default configurations. Template Version: @(#)sac_nextcase 1.55 08/11/04 SMI Copyright 2005 Sun Microsystems, Inc. 1. Introduction 1.1. Project/Component Working Name: Per user Authentication Policy 1.2. Name of Document Author/Supplier: Author: Nicolas Williams 1.3 Date of This Document: 27 April, 2005 4. Technical Description ABSTRACT -------- This case adds support for per-user PAM configuration, a highly desirable feature. No changes are needed to PAM applications or modules, nor does libpam become unnecessarily Unix-specific. The case introduces a PAM module, pam_user_policy(5), which loads and evaluates, by calling a new PAM function, pam_eval(3PAM), a PAM configuration named in a user_attr(4) and/or prof_attr(4) ('pam_policy'). BACKGROUND ---------- PAM supports a single configuration per-service. This restriction was reasonable initially, but over time it has caused problems. For example, it has caused the names of locally defined users, specifically 'root', to be hard-coded in modules which are typically not appropriate for such users (e.g., pam_krb5). And customers managing migrations, for example, from Unix authentication to Kerberos V authentication often need PAM to distinguish between two kinds of users: migrated and not. HP-UX and MacOS X both have some support for per-user PAM configuration. HP-UX includes a module which searches for and evaluates a PAM configuration stored in a file named after the user. MacOS X includes a module which implements authentication strategies configured in an LDAP directory on a per-user basis. This case proposes a Solaris PAM module which includes a PAM configuration named in a user_attr(4) user attribute. We need a solution that has the following characteristics: - easy administration of policies assigned to users - no changes are required to 3rd party PAM applications - no changes are required to 3rd party PAM modules - libpam does not treat PAM_USER values as Unix usernames (Solaris PAM modules, of course, do) PROPOSAL -------- We propose: - A new PAM function, which can be called only by modules, pam_eval(3PAM). This function loads and evaluates a PAM configuration stored in file named by the caller. - A new PAM module, pam_user_policy(5) which looks up the PAM_USER's 'pam_policy' user_attr(4), or in the user's profiles (prof_attr(4)) and pam_eval()'s the named configuration, if any, or returns PAM_IGNORE. The pam_user_policy(5) auth module will prompt for a PAM_USER, if one is not set. The intention is that it be possible to stack pam_user_policy above all other modules in all stacks with zero effect for users who have no pam_policy user_attr or prof_attr. - A set of PAM configuration files, in /usr/lib/security/, intended for inclusion via pam_user_policy(5): - unix.conf - krb5.conf - krb5-fallback-unix.conf - ldap.conf - any.conf - No change to /etc/pam.conf is proposed. However, it's expected that a future case will likely change the default pam.conf so that pam_user_policy is stacked as binding at the top of most every service stack. DOCUMENTATION ------------- - New man pages will be added for pam_eval(3PAM) and pam_user_policy(5). See case repository. - The user_attr(4) and prof_attr(4) man pages will be modified to mention 'pam_policy' and reference pam_user_policy(5). See case repository. INTERFACE STABILITY AND RELEASE BINDINGS ---------------------------------------- Interface Stability Release Binding pam_eval(3PAM) Stable Minor/patch pam_user_policy(5) Stable Minor/patch config file names Stable Minor/patch config file semantics Stable Minor/patch config file contents Unstable Minor/patch 6. Resources and Schedule 6.4. Steering Committee requested information 6.4.1. Consolidation C-team Name: ON 6.5. ARC review type: FastTrack