path: root/usr/src/man/man5/pam_tsol_account.5

'\" te
.\" Copyright (c) 2007, Sun Microsystems, Inc. All Rights Reserved.
.\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License").  You may not use this file except in compliance with the License.
.\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.  See the License for the specific language governing permissions and limitations under the License.
.\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE.  If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
.TH PAM_TSOL_ACCOUNT 5 "Jul 20, 2007"
.SH NAME
pam_tsol_account \- PAM account management module for Trusted Extensions
.SH SYNOPSIS
.LP
.nf
\fB/usr/lib/security/pam_tsol_account.so.1\fR
.fi

.SH DESCRIPTION
.sp
.LP
The Solaris Trusted Extensions service module for \fBPAM\fR,
\fB/usr/lib/security/pam_tsol_account.so.1\fR, checks account limitations that
are related to labels. The \fBpam_tsol_account.so.1\fR module is a shared
object that can be dynamically loaded to provide the necessary functionality
upon demand. Its path is specified in the \fBPAM\fR configuration file.
.sp
.LP
\fBpam_tsol_account.so.1\fR contains a function to perform account management,
\fBpam_sm_acct_mgmt()\fR. The function checks for the allowed label range for
the user.  The allowable label range is set by the defaults in the
\fBlabel_encodings\fR(4) file. These defaults can be overridden by entries in
the \fBuser_attr\fR(4) database.
.sp
.LP
By default, this module requires that remote hosts connecting to the  global
zone must have a CIPSO host type. To disable this policy, add the
\fBallow_unlabeled\fR keyword as an option to the entry in \fBpam.conf\fR(4),
as in:
.sp
.in +2
.nf
other  account required    pam_tsol_account allow_unlabeled
.fi
.in -2
.sp

.SH OPTIONS
.sp
.LP
The following options can be passed to the module:
.sp
.ne 2
.na
\fB\fBallow_unlabeled\fR\fR
.ad
.RS 19n
Allows remote connections from hosts with unlabeled template types.
.RE

.sp
.ne 2
.na
\fB\fBdebug\fR\fR
.ad
.RS 19n
Provides debugging information at the \fBLOG_DEBUG\fR level. See
\fBsyslog\fR(3C).
.RE

.SH RETURN VALUES
.sp
.LP
The following values are returned:
.sp
.ne 2
.na
\fB\fBPAM_SUCCESS\fR\fR
.ad
.RS 19n
The account is valid for use at this time and label.
.RE

.sp
.ne 2
.na
\fB\fBPAM_PERM_DENIED\fR\fR
.ad
.RS 19n
The current process label is outside the user's label range, or the label
information for the process is unavailable, or the remote host type is not
valid.
.RE

.sp
.ne 2
.na
\fBOther values\fR
.ad
.RS 19n
Returns an error code that is consistent with typical PAM operations. For
information on error-related return values, see the \fBpam\fR(3PAM) man page.
.RE

.SH ATTRIBUTES
.sp
.LP
See \fBattributes\fR(5) for description of the following attributes:
.sp

.sp
.TS
box;
c | c
l | l .
ATTRIBUTE TYPE	ATTRIBUTE VALUE
_
Interface Stability	Committed
_
MT Level	MT-Safe with exceptions
.TE

.sp
.LP
The interfaces in \fBlibpam\fR(3LIB) are MT-Safe only if each thread within the
multi-threaded application uses its own PAM handle.
.SH SEE ALSO
.sp
.LP
\fBkeylogin\fR(1), \fBlibpam\fR(3LIB), \fBpam\fR(3PAM),
\fBpam_sm_acct_mgmt\fR(3PAM), \fBpam_start\fR(3PAM), \fBsyslog\fR(3C),
\fBlabel_encodings\fR(4), \fBpam.conf\fR(4), \fBuser_attr\fR(4),
\fBattributes\fR(5)
.sp
.LP
Chapter 17, \fIUsing PAM,\fR in \fISystem Administration Guide: Security
Services\fR
.SH NOTES
.sp
.LP
The functionality described on this manual page is available only if the system
is configured with Trusted Extensions.