PAM_TSOL_ACCOUNT(7) Standards, Environments, and Macros PAM_TSOL_ACCOUNT(7)

NAME


pam_tsol_account - PAM account management module for Trusted Extensions

SYNOPSIS


pam_tsol_account.so.1


DESCRIPTION


The Trusted Extensions service module for PAM, pam_tsol_account.so.1,
checks account limitations that are related to labels.


pam_tsol_account.so.1 contains a function to perform account management,
pam_sm_acct_mgmt(3PAM). The function checks for the allowed label range
for the user. The allowable label range is set by the defaults in the
label_encodings(5) file. These defaults can be overridden by entries in
the user_attr(5) database.


By default, this module requires that remote hosts connecting to the
global zone must have a CIPSO host type. To disable this policy, add the
allow_unlabeled keyword as an option to the entry in pam.conf(5), as in:

other account required pam_tsol_account allow_unlabeled


OPTIONS


The following options can be passed to the module:

allow_unlabeled
Allows remote connections from hosts with unlabeled
template types.


debug
Provides debugging information at the LOG_DEBUG level.
See syslog(3C).


RETURN VALUES


The following values are returned:

PAM_SUCCESS
The account is valid for use at this time and label.


PAM_PERM_DENIED
The current process label is outside the user's label
range, or the label information for the process is
unavailable, or the remote host type is not valid.


Other values
Returns an error code that is consistent with typical
PAM operations. For information on error-related
return values, see the pam(3PAM) man page.


ATTRIBUTES


See attributes(7) for description of the following attributes:


+--------------------+-------------------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+--------------------+-------------------------+
|Interface Stability | Committed |
+--------------------+-------------------------+
|MT Level | MT-Safe with exceptions |
+--------------------+-------------------------+


The interfaces in libpam(3LIB) are MT-Safe only if each thread within the
multi-threaded application uses its own PAM handle.

SEE ALSO


keylogin(1), syslog(3C), libpam(3LIB), pam(3PAM), pam_sm_acct_mgmt(3PAM),
pam_start(3PAM), label_encodings(5), pam.conf(5), user_attr(5),
attributes(7)

NOTES


The functionality described on this manual page is available only if the
system is configured with Trusted Extensions.

illumos August 19, 2023 PAM_TSOL_ACCOUNT(7)