| 1 | Quick start guide to using the pam module |
|---|
| 2 | ========================================= |
|---|
| 3 | |
|---|
| 4 | The pam module supports two different flavors: |
|---|
| 5 | a) "eid" - store the certificate for a user in that |
|---|
| 6 | users home directory in a file called ".eid/authorized_certificates" |
|---|
| 7 | b) "ldap" - store the certificate for a user in a central ldap |
|---|
| 8 | repository |
|---|
| 9 | |
|---|
| 10 | This guide only deals with flavor a). If you want to add documentation |
|---|
| 11 | on using pam with ldap, please send a patch to the opensc-devel mailing |
|---|
| 12 | list. See also the PAM section in the OpenSC HTML docs. |
|---|
| 13 | |
|---|
| 14 | First initialize the token, create a user with a pin, create a key |
|---|
| 15 | and create a certificate, all as documented in the QUICKSTART file. |
|---|
| 16 | |
|---|
| 17 | |
|---|
| 18 | The first thing is to copy the opensc pam module to the right location. |
|---|
| 19 | Pam modules are searched for in the directory /lib/security/. |
|---|
| 20 | $ cp /usr/lib/security/pam_opensc.so /lib/security/pam_opensc.so |
|---|
| 21 | |
|---|
| 22 | Now change one service to use this pam module by default. Keep at least |
|---|
| 23 | one xterm and/or virtual console open as root, so you can undo any |
|---|
| 24 | configuration change, in case it does not work. |
|---|
| 25 | |
|---|
| 26 | Edit for example /etc/pam.d/login and replace |
|---|
| 27 | auth required pam_unix.so nullok |
|---|
| 28 | with |
|---|
| 29 | auth required pam_opensc.so |
|---|
| 30 | |
|---|
| 31 | If you want to use opensc first, and fall back on normal password based |
|---|
| 32 | authentication, you could use these two lines: |
|---|
| 33 | auth sufficient pam_opensc.so |
|---|
| 34 | auth required pam_unix.so nullok |
|---|
| 35 | |
|---|
| 36 | Note the first line is marked as "sufficient", so successful smart card |
|---|
| 37 | authentication will let a user in. If both lines read "required", a user |
|---|
| 38 | would have to use a smart card with the right key and certificate on it, |
|---|
| 39 | enter the right pin *AND* have the right password for the normal login |
|---|
| 40 | procedure. |
|---|
| 41 | |
|---|
| 42 | Now every user needs to create a directory ".eid" in his or her home |
|---|
| 43 | directory and put the certificate in a file called "authorized_certificates". |
|---|
| 44 | To do this, enter the command (beware, this will overwrite the file): |
|---|
| 45 | $ pkcs15-tool -r 45 -o ~/.eid/authorized_certificates |
|---|
| 46 | |
|---|
| 47 | Now try to login using the smart card. Remember to first insert your |
|---|
| 48 | smart card into the reader, then enter your username, and then the |
|---|
| 49 | pin on your key. |
|---|
| 50 | |
|---|
| 51 | As of OpenSC version 0.9.2, ~/.eid/authorized_certificates can contain |
|---|
| 52 | multiple certificates. To use multiple certificates there, simply |
|---|
| 53 | concatenate them, for example like |
|---|
| 54 | $ pkcs15-tool -r 45 >> ~/.eid/authorized_certificates |
|---|
