Home > Articles > Operating Systems, Server > Solaris

  • Print
  • + Share This
Like this article? We recommend

Testing the PAM Module

In order to test the pam_compare.so.1 module, update the /etc/pam.conf(4) file as detailed on page 6, and run the passwd command. With the maxequal variable set to 4, this is what you see in the code box:

$ passwd
passwd: Changing password for testuser
Enter existing login password: s3cr3t!
New Password: s3cur3!
passwd: Your old and new password can't share more than 4 characters.

Please try again
New Password: a^_g34.Q
Re-enter new Password: a^_g34.Q
passwd: password successfully changed for testuser

PAM provides its services to all applications that perform Password Management, and all these applications benefit from the new module. If you created the local account testuser, you can force a password change when testuser logs in the next time, with the following command:

$ passwd -f testuser

Here is the example of testuser logging in, (please note that the boldface type is user input):

$ rlogin -l testuser localhost
Passwd: a^_g34.Q
Choose a new password.
New Password: 55Q.ga_^
rlogin: Your old and new password can't share more than 4 characters.
Try again

Choose a new password.
New Password: 

As illustrated, the rlogins password management service benefits immediately from the newly installed module.

By plugging multiple, low-level authentication mechanisms into applications at runtime, PAM integrates them with a single high-level API. These authentication mechanisms, are encapsulated as dynamically loadable, shared software modules. These software modules may be installed independent of applications.

In environments where there is an LDAP directory server, either the pam_unix function or the pam_ldap function can be used to authenticate users. Because of its increased flexibility and support of stronger authentication methods, the use of the pam_ldap function is recommended. For organizations using the Solaris 9 OE, which offers LDAP for naming and directory services, the pam_ldap function offers an ideal way to extend the authentication capabilities.

Note

In the Solaris 9 OE, the pam_unix function does not exist in the same form that it does in the Solaris 8 OE. In order to accommodate proper stacking of the pam_unix function it has been broken up into single service modules. When used together these single service modules provide the same functionality as the existing pam_unix function. For example, some of the service modules are: pam_unix_auth(5), pam_authtok_*(5), and pam_passwd_auth(5).

  • + Share This
  • 🔖 Save To Your Account