# # Configuration file for pam_pkcs11 module # # Version 0.4 # Author: Juan Antonio Martinez # pam_pkcs11 { # Allow empty passwords nullok = true; # Enable debugging support. debug = false; # If the smart card is inserted, only use it card_only = true; # Do not prompt the user for the passwords but take them from the # PAM_ items instead. use_first_pass = false; # Do not prompt the user for the passwords unless PAM_(OLD)AUTHTOK # is unset. try_first_pass = false; # Like try_first_pass, but fail if the new PAM_AUTHTOK has not been # previously set (intended for stacking password modules only). use_authtok = false; # Filename of the PKCS #11 module. The default value is "default" use_pkcs11_module = coolkey; screen_savers = gnome-screensaver,xscreensaver,kscreensaver pkcs11_module coolkey { module = libcoolkeypk11.so; description = "Cool Key" # Slot-number to use. One for the first, two for the second and so # on. The default value is zero which means to use the first slot # with an available token. slot_num = 0; # Path to the directory where the NSS CA certificate database is stored. # you can mange the certs in this database with the certutil command in # the package nss-tools nss_dir = /etc/pki/nssdb; # Sets the Certificate verification policy. # "none" Performs no verification # "ca" Does CA check # "crl_online" Downloads the CRL form the location given by the # CRL distribution point extension of the certificate # "crl_offline" Uses the locally stored CRLs # "crl_auto" Is a combination of online and offline; it first # tries to download the CRL from a possibly given CRL # distribution point and if this fails, uses the local # CRLs # "ocsp_on" Turn on OCSP. # "signature" Does also a signature check to ensure that private # and public key matches # You can use a combination of ca,crl, and signature flags, or just # use "none". cert_policy = ca, signature; } pkcs11_module opensc { module = opensc-pkcs11.so; description = "OpenSC PKCS#11 module"; # Slot-number to use. One for the first, two for the second and so # on. The default value is zero which means to use the first slot # with an available token. slot_num = 0; # Path to the directory where the NSS CA certificate database is stored. # you can mange the certs in this database with the certutil command in # the package nss-tools nss_dir = /etc/pki/nssdb; # Sets the Certificate Policy, (see above) cert_policy = ca, signature; } # Default pkcs11 module pkcs11_module default { module = /usr/$LIB/pam_pkcs11/pkcs11_module.so; description = "Default pkcs#11 module"; slot_num = 0; #ca_dir = /etc/pam_pkcs11/cacerts; #crl_dir = /etc/pam_pkcs11/crls; nss_dir = /etc/pki/nssdb; cert_policy = ca, signature; } # Which mappers ( Cert to login ) to use? # you can use several mappers: # # subject - Cert Subject to login file based mapper # pwent - CN to getpwent() login or gecos fields mapper # ldap - LDAP mapper # opensc - Search certificate in ${HOME}/.eid/authorized_certificates # openssh - Search certificate public key in ${HOME}/.ssh/authorized_keys # mail - Compare email fields from certificate # ms - Use Microsoft Universal Principal Name extension # krb - Compare againts Kerberos Principal Name # cn - Compare Common Name (CN) # uid - Compare Unique Identifier # digest - Certificate digest to login (mapfile based) mapper # generic - User defined certificate contents mapped # null - blind access/deny mapper # # You can select a comma-separated mapper list. # If used null mapper should be the last in the list :-) # Also you should select at least one mapper, otherwise # certificate will not match :-) use_mappers = cn, uid, pwent, null; # When no absolute path or module info is provided, use this # value as module search path # TODO: # This is not still functional: use absolute pathnames or LD_LIBRARY_PATH mapper_search_path = /usr/$LIB/pam_pkcs11; # # Generic certificate contents mapper mapper generic { debug = true; module = /usr/$LIB/pam_pkcs11/generic_mapper.so; # ignore letter case on match/compare ignorecase = false; # Use one of "cn" , "subject" , "kpn" , "email" , "upn" or "uid" cert_item = cn; # Define mapfile if needed, else select "none" mapfile = file:///etc/pam_pkcs11/generic_mapping # Decide if use getpwent() to map login use_getpwent = false; } # Certificate Subject to login based mapper # provided file stores one or more "Subject -> login" lines mapper subject { debug = false; # module = /usr/$LIB/pam_pkcs11/subject_mapper.so; module = internal; ignorecase = false; mapfile = file:///etc/pam_pkcs11/subject_mapping; } # Search public keys from $HOME/.ssh/authorized_keys to match users mapper openssh { debug = false; module = /usr/$LIB/pam_pkcs11/openssh_mapper.so; } # Search certificates from $HOME/.eid/authorized_certificates to match users mapper opensc { debug = false; module = /usr/$LIB/pam_pkcs11/opensc_mapper.so; } # Certificate Common Name ( CN ) to getpwent() mapper mapper pwent { debug = false; ignorecase = false; module = internal; # module = /usr/$LIB/pam_pkcs11/pwent_mapper.so; } # Null ( no map ) mapper. when user as finder matchs to NULL or "nobody" mapper null { debug = false; # module = /usr/$LIB/pam_pkcs11/null_mapper.so; module = internal ; # select behavior: always match, or always fail default_match = false; # on match, select returned user default_user = nobody ; } # Directory ( ldap style ) mapper mapper ldap { debug = false; module = /usr/$LIB/pam_pkcs11/ldap_mapper.so; # where base directory resides basedir = /etc/pam_pkcs11/mapdir; # hostname of ldap server ldaphost = "localhost"; # Port on ldap server to connect ldapport = 389; # Scope of search: 0 = x, 1 = y, 2 = z scope = 2; # DN to bind with. Must have read-access for user entries under "base" binddn = "cn=pam,o=example,c=com"; # Password for above DN passwd = "test"; # Searchbase for user entries base = "ou=People,o=example,c=com"; # Attribute of user entry which contains the certificate attribute = "userCertificate"; # Searchfilter for user entry. Must only let pass user entry for the login user. filter = "(&(objectClass=posixAccount)(uid=%s))" } # Assume common name (CN) to be the login mapper cn { debug = false; module = internal; # module = /usr/$LIB/pam_pkcs11/cn_mapper.so; ignorecase = true; mapfile = file:///etc/pam_pkcs11/cn_map; } # mail - Compare email field from certificate mapper mail { debug = false; module = internal; # module = /usr/$LIB/pam_pkcs11/mail_mapper.so; # Declare mapfile or # leave empty "" or "none" to use no map mapfile = file:///etc/pam_pkcs11/mail_mapping; # Some certs store email in uppercase. take care on this ignorecase = true; # Also check that host matches mx domain # when using mapfile this feature is ignored ignoredomain = false; } # ms - Use Microsoft Universal Principal Name extension # UPN is in format login@ADS_Domain. No map is needed, just # check domain name. mapper ms { debug = false; module = internal; # module = /usr/$LIB/pam_pkcs11/ms_mapper.so; ignorecase = false; ignoredomain = false; domain = "domain.com"; } # krb - Compare againts Kerberos Principal Name mapper krb { debug = false; module = internal; # module = /usr/$LIB/pam_pkcs11/krb_mapper.so; ignorecase = false; mapfile = "none"; } # uid - Maps Subject Unique Identifier field (if exist) to login mapper uid { debug = false; module = internal; # module = /usr/$LIB/pam_pkcs11/uid_mapper.so; ignorecase = false; mapfile = "none"; } # digest - elaborate certificate digest and map it into a file mapper digest { debug = false; module = internal; # module = /usr/$LIB/pam_pkcs11/digest_mapper.so; # algorithm used to evaluate certificate digest # Select one of: # "null","md2","md4","md5","sha","sha1","dss","dss1","ripemd160" algorithm = "sha1"; mapfile = file:///etc/pam_pkcs11/digest_mapping; # mapfile = "none"; } }