1pam_tsol_account(5)   Standards, Environments, and Macros  pam_tsol_account(5)
2
3
4

NAME

6       pam_tsol_account - PAM account management module for Trusted Extensions
7

SYNOPSIS

9       /usr/lib/security/pam_tsol_account.so.1
10
11

DESCRIPTION

13       The  Solaris  Trusted Extensions service module for PAM, /usr/lib/secu‐
14       rity/pam_tsol_account.so.1, checks account limitations that are related
15       to labels. The pam_tsol_account.so.1 module is a shared object that can
16       be dynamically loaded  to  provide  the  necessary  functionality  upon
17       demand. Its path is specified in the PAM configuration file.
18
19
20       pam_tsol_account.so.1  contains  a  function to perform account manage‐
21       ment, pam_sm_acct_mgmt(). The function checks  for  the  allowed  label
22       range  for  the user.  The allowable label range is set by the defaults
23       in the label_encodings(4) file. These defaults  can  be  overridden  by
24       entries in the user_attr(4) database.
25
26
27       By  default,  this  module requires that remote hosts connecting to the
28       global zone must have a CIPSO host type. To disable  this  policy,  add
29       the  allow_unlabeled  keyword as an option to the entry in pam.conf(4),
30       as in:
31
32         other  account required    pam_tsol_account allow_unlabeled
33
34
35

OPTIONS

37       The following options can be passed to the module:
38
39       allow_unlabeled    Allows remote connections from hosts with  unlabeled
40                          template types.
41
42
43       debug              Provides  debugging  information  at  the  LOG_DEBUG
44                          level. See syslog(3C).
45
46

RETURN VALUES

48       The following values are returned:
49
50       PAM_SUCCESS        The account is valid for use at this time and label.
51
52
53       PAM_PERM_DENIED    The current process  label  is  outside  the  user's
54                          label  range,  or  the  label  information  for  the
55                          process is unavailable, or the remote host  type  is
56                          not valid.
57
58
59       Other values       Returns  an error code that is consistent with typi‐
60                          cal PAM operations. For information on error-related
61                          return values, see the pam(3PAM) man page.
62
63

ATTRIBUTES

65       See attributes(5) for description of the following attributes:
66
67
68
69
70       ┌─────────────────────────────┬─────────────────────────────┐
71       │      ATTRIBUTE TYPE         │      ATTRIBUTE VALUE        │
72       ├─────────────────────────────┼─────────────────────────────┤
73       │Interface Stability          │Committed                    │
74       ├─────────────────────────────┼─────────────────────────────┤
75       │MT Level                     │MT-Safe with exceptions      │
76       └─────────────────────────────┴─────────────────────────────┘
77
78
79       The  interfaces  in libpam(3LIB) are MT-Safe only if each thread within
80       the multi-threaded application uses its own PAM handle.
81

SEE ALSO

83       keylogin(1),    libpam(3LIB),    pam(3PAM),     pam_sm_acct_mgmt(3PAM),
84       pam_start(3PAM),     syslog(3C),    label_encodings(4),    pam.conf(4),
85       user_attr(4), attributes(5)
86
87
88       Chapter 17, Using PAM, in System Administration  Guide:  Security  Ser‐
89       vices
90

NOTES

92       The  functionality  described  on this manual page is available only if
93       the system is configured with Trusted Extensions.
94
95
96
97SunOS 5.11                        20 Jul 2007              pam_tsol_account(5)
Impressum