Project

General

Profile

Actions

Bug #2947

open

PAM should support per-service config in /etc/pam.d

Added by Joshua M. Clulow over 9 years ago. Updated over 9 years ago.

Status:
New
Priority:
Normal
Category:
-
Start date:
2012-06-29
Due date:
% Done:

0%

Estimated time:
Difficulty:
Medium
Tags:
Gerrit CR:

Description

libpam(3LIB) presently loads its configuration from one monolithic file -- /etc/pam.conf -- as documented in pam.conf(4). This approach does not mesh well with delivery of additional PAM configuration in packages or via configuration management systems.

This RFE seeks to provide for per-service configuration in /etc/pam.d. If a service file exists then that file will be read to construct the stack for the particular service (e.g. for sshd-password the file would be /etc/pam.d/sshd-password). If no /etc/pam.d exists, or does exist but has incorrect permissions, the fallback will be the current behaviour; that is, reading the monolithic /etc/pam.conf.

Finally, this RFE seeks to split the existing monolithic /etc/pam.conf into separate service files and replace it with a file containing only a comment referring to the documentation and /etc/pam.d.

Actions #1

Updated by Joshua M. Clulow over 9 years ago

Further, the file format of the per-service pam.conf shards will be the same as pam.conf, sans the initial "service name" column. The value used in place of that column will be the same as both the service name and the file name of this shard.

Actions #2

Updated by Joshua M. Clulow over 9 years ago

Existing systems will already have a (potentially customised) /etc/pam.conf. The manifest for SUNWcs is configured to preserve the contents of the existing pam.conf on an upgrade, but the newly delivered shard files (in /etc/pam.d) will take precedence over the contents of the legacy, monolithic file.

In order to preserve the behaviour of local customisations to pam.conf, this RFE will also deliver a new binary -- pamconv -- and a boot-time SMF service to run it. This binary will split any existing non-trivial pam.conf into shards (potentially overwriting those delivered in SUNWcs) and then overwrite the original pam.conf with a trivial (comments-only) replacement.

Actions

Also available in: Atom PDF