The Solaris Trusted Extensions service module for PAM, /usr/lib/security/pam_tsol_account.so.1, checks account limitations that are related to labels. The pam_tsol_account.so.1 module is a shared object that can be dynamically loaded to provide the necessary functionality upon demand. Its path is specified in the PAM configuration file.
pam_tsol_account.so.1 contains a function to perform account management, pam_sm_acct_mgmt(). The function checks for the allowed label range for the user. The allowable label range is set by the defaults in the label_encodings(4) file. These defaults can be overridden by entries in the user_attr(4) database.
By default, this module requires that remote hosts connecting to the global zone must have a CIPSO host type. To disable this policy, add the allow_unlabeled keyword as an option to the entry in pam.conf(4), as in:
other account required pam_tsol_account allow_unlabeled
The following options can be passed to the module:
The following values are returned:
See attributes(5) for description of the following attributes:
The interfaces in libpam(3LIB) are MT-Safe only if each thread within the multi-threaded application uses its own PAM handle.
keylogin(1), libpam(3LIB), pam(3PAM), pam_sm_acct_mgmt(3PAM), pam_start(3PAM), syslog(3C), label_encodings(4), pam.conf(4), user_attr(4), attributes(5)
Chapter 17, Using PAM in System Administration Guide: Security Services
The functionality described on this manual page is available only if the system is configured with Trusted Extensions.