pam_pkcs11 - PAM Authentication Module for the PKCS#11 token libraries
pam_pkcs11.so [debug] [config_file=filename]
The pam_pkcs11 module implements pam_sm_authenticate(3PAM), which provides functionality to the PAM authentication stack. This module allows a user to login a system, using a X.509 certificate and its dedicated private key stored in a PKCS#11 token. This module currently supports the RSA algorithm only.
To verify the dedicated private key is truly associated with the X.509 certificate, the following verification procedure is performed in this module by default:
For the verification of the users' certificates, locally stored CA certificates as well as either online or locally accessible CRLs are used.
The pam_pkcs11.so service module can be used in the <auth> PAM chain. The program that needs a PAM service should be configured in the /etc/pam.conf file. For details on how to configure PAM services, see pam.conf(4).
The following example uses only pam_pkcs11 for authentication:
login auth requisite pam_pkcs11.so.1 login autho required pam_unix_cred.so.1
The following example uses pam_pkcs11 for authentication with fallback to standard UNIX authentication:
login auth sufficient pam_pkcs11.so.1 login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth required pam_unix_cred.so.1 login auth required pam_unix_auth.so.1
To configure the pam_pkcs11 module, you must have the following information:
To configure the pam_pkcs11 module, you need to modify the pam_pkcs11.conf configuration file which is in the /etc/security/pam_pkcs11 directory by default. For detailed information on how to configure the pam_pkcs11 module, see the PAM-PKCS11 User Manual, available at the http://www.opensc-project.org/ web site, under the PAM PKCS#11 link.
The following example illustrates how to configure the pam_pkcs11 module for a user whose certificate and private key are stored in the Solaris pkcs11_softtoken keystore. This example uses the default certificate verification policy.
On Solaris, the PKCS#11 module should be set to /usr/lib/libpkcs11.so.1, the PKCS#11 Cryptographic Framework library.
Specifies the slot to be used. For example, slot_description = "Sun Crypto Softtoken". The default value for this entry is none which means to use the first slot with an available token.
An administrator can use the cryptoadm list -vcommand to find all the available slots and their slot descriptions. For more information, see libpkcs11(3LIB) and cryptoadm(1M).
The certificate verification policy includes:
none
ca
signature
crl_xxx
As this example uses the default policy, cert_policy = ca,signature, an administer needs to set up the CA certificates.
A certificate that is self-signed is its own CA certificate. Therefore, in this example, the certificate is placed both in the Softtoken keystore and in the CA certificate directory.
$ /etc/security/pam_pkcs11/make_hash_link.sh \ /etc/security/pam_pkcs11/cacerts
When a X509 certificate is provided, there are no direct ways to map a certificate to a login. The pam_pkcs11 module provides a configurable way with mappers to specify cert-to-user mapping.
Many mappers are provided by the pam_pkcs11 module, for example, the common name (CN) mapper, the digest mapper, the Email mapper, or the LDAP mapper.
A user can configure a mapper list in the pam_pkcs11.conf file. The mappers in the list are used sequentially until the certificate is successfully matched with the user.
The default mapper list is as follows:
use_mappers = digest, cn, pwent, uid, mail, subject, null;
Some mappers do not require the specification of a mapfile, for example, the common name mapper. Other mappers require mapfiles, for example, the digest mapper. Some sample mapping files can be found in the /etc/security/pam_pkcs11 directory.
The following options are supported:
config_file=filename
debug
/usr/lib/security/pam_pkcs11.so
/usr/lib/pam_pkcs11/ldap_mapper.so
/usr/lib/pam_pkcs11/opensc_mapper.so
/usr/lib/pam_pkcs11/openssh_mapper.so
/etc/security/pam_pkcs11/pam_pkcs11.conf
/etc/security/pam_pkcs11/cacerts
/etc/security/pam_pkcs11/crls
/etc/security/pam_pkcs11/digest_mapping.example
/etc/security/pam_pkcs11/subject_mapping.example
/etc/security/pam_pkcs11/mail_mapping.example
/etc/security/pam_pkcs11/make_hash_link.sh
PAM-pkcs11 was originally written by MarioStrasser , mast@gmx.net.
Newer versions are from Juan Antonio Martinez, jonsito@teleline.es
See attributes(5) for a description of the following attributes:
|
pkcs11_inspect(1), pklogin_finder(1), cryptoadm(1M), libpkcs11(3LIB)libpkcs11(3LIB)pam_sm_authenticate(3PAM), pam.conf(4), attributes(5), pkcs11_softtoken(5)
PAM-PKCS11 User Manual, available at the http://www.opensc-project.org/ web site, under the PAM PKCS#11 link.
Закладки на сайте Проследить за страницей |
Created 1996-2024 by Maxim Chirkov Добавить, Поддержать, Вебмастеру |