pam_tsol_account(5) [opensolaris man page]

pam_tsol_account(5)					Standards, Environments, and Macros				       pam_tsol_account(5)

NAME

       pam_tsol_account - PAM account management module for Trusted Extensions

SYNOPSIS

       /usr/lib/security/pam_tsol_account.so.1

DESCRIPTION

       The Solaris Trusted Extensions service module for PAM, /usr/lib/security/pam_tsol_account.so.1, checks account limitations that are related
       to labels. The pam_tsol_account.so.1 module is a shared object that can be dynamically loaded to provide the necessary  functionality  upon
       demand. Its path is specified in the PAM configuration file.

       pam_tsol_account.so.1  contains	a  function  to  perform account management, pam_sm_acct_mgmt(). The function checks for the allowed label
       range for the user.  The allowable label range is set by the defaults in the label_encodings(4) file. These defaults can be  overridden	by
       entries in the user_attr(4) database.

       By  default, this module requires that remote hosts connecting to the  global zone must have a CIPSO host type. To disable this policy, add
       the allow_unlabeled keyword as an option to the entry in pam.conf(4), as in:

	 other	account required    pam_tsol_account allow_unlabeled

OPTIONS

       The following options can be passed to the module:

       allow_unlabeled	  Allows remote connections from hosts with unlabeled template types.

       debug		  Provides debugging information at the LOG_DEBUG level. See syslog(3C).

RETURN VALUES

       The following values are returned:

       PAM_SUCCESS	  The account is valid for use at this time and label.

       PAM_PERM_DENIED	  The current process label is outside the user's label range, or the label information for the process is unavailable, or
			  the remote host type is not valid.

       Other values	  Returns  an  error  code that is consistent with typical PAM operations. For information on error-related return values,
			  see the pam(3PAM) man page.

ATTRIBUTES

       See attributes(5) for description of the following attributes:

       +-----------------------------+-----------------------------+
       |      ATTRIBUTE TYPE	     |	    ATTRIBUTE VALUE	   |
       +-----------------------------+-----------------------------+
       |Interface Stability	     |Committed 		   |
       +-----------------------------+-----------------------------+
       |MT Level		     |MT-Safe with exceptions	   |
       +-----------------------------+-----------------------------+

       The interfaces in libpam(3LIB) are MT-Safe only if each thread within the multi-threaded application uses its own PAM handle.

SEE ALSO

       keylogin(1), libpam(3LIB), pam(3PAM), pam_sm_acct_mgmt(3PAM), pam_start(3PAM), syslog(3C), label_encodings(4),  pam.conf(4),  user_attr(4),
       attributes(5)

       Chapter 17, Using PAM, in System Administration Guide: Security Services

NOTES

       The functionality described on this manual page is available only if the system is configured with Trusted Extensions.

SunOS 5.11							    20 Jul 2007 					       pam_tsol_account(5)