root/trunk/etc/pam_pkcs11.conf.example

Revision 341, 10.2 kB (checked in by ludovic.rousseau, 5 weeks ago)

Allow to configure the token name in the different PAM prompts. Default
value is "Smart card". See token_type= configuration in
etc/pam_pkcs11.conf

Thanks to Huie-Ying Lee for the patch.
Line 
1#
2# Configuration file for pam_pkcs11 module
3#
4# Version 0.4
5# Author: Juan Antonio Martinez <jonsito@teleline.es>
6#
7pam_pkcs11 {
8  # Allow empty passwords
9  nullok = true;
10
11  # Enable debugging support.
12  debug = true;
13
14  # Do not prompt the user for the passwords but take them from the
15  # PAM_ items instead.
16  use_first_pass = false;
17
18  # Do not prompt the user for the passwords unless PAM_(OLD)AUTHTOK
19  # is unset.
20  try_first_pass = false;
21
22  # Like try_first_pass, but fail if the new PAM_AUTHTOK has not been
23  # previously set (intended for stacking password modules only).
24  use_authtok = false;
25
26  # Filename of the PKCS #11 module. The default value is "default"
27  use_pkcs11_module = opensc;
28
29  pkcs11_module opensc {
30    module = /usr/lib/opensc-pkcs11.so;
31    description = "OpenSC PKCS#11 module";
32
33    # Which slot to use?
34    # You can use "slot_num" or "slot_description", but not both, to specify
35    # the slot to use.   Using "slot_description" is preferred because the
36    # PKCS#11 specification does not guarantee slot ordering. "slot_num" should
37    # only be used with those PKCS#11 implementations that guarantee
38    # constant slot numbering.
39    #
40    #  slot_description = "xxxx"
41    #      The slot is specified by the slot description, for example,
42    #      slot_description = "Sun Crypto Softtoken".  The default value is
43    #      "none" which means to use the first slot with an available token.
44    #
45    #  slot_num = a_number
46    #      The slot is specified by the slot number, for example, slot_num = 1.
47    #      The default value is zero which means to use the first slot with an
48    #      available token.
49    #
50    slot_description = "none";
51
52    # Where are CA certificates stored?
53    # You can setup this value to:
54    # 1- A directory with openssl hash-links to all certificates
55    # 2- A CA file in PEM (.pem) or ASN1 (.cer) format,
56    # containing all allowed CA certs
57    # The default value is /etc/pam_pkcs11/cacerts.
58    ca_dir = /etc/pam_pkcs11/cacerts;
59 
60    # Path to the directory where the local (offline) CRLs are stored.
61    # Same convention as above is applied: you can choose either
62    # hash-link directory or CRL file
63    # The default value is /etc/pam_pkcs11/crls.
64    crl_dir = /etc/pam_pkcs11/crls;
65 
66    # Some pcks#11 libraries can handle multithreading. So
67    # set it to true to properly call C_Initialize()
68    support_threads = false;
69
70    # Sets the Certificate verification policy.
71    # "none"        Performs no verification
72    # "ca"          Does CA check
73    # "crl_online"  Downloads the CRL form the location given by the
74    #               CRL distribution point extension of the certificate
75    # "crl_offline" Uses the locally stored CRLs
76    # "crl_auto"    Is a combination of online and offline; it first
77    #               tries to download the CRL from a possibly given CRL
78    #               distribution point and if this fails, uses the local
79    #               CRLs
80    # "signature"   Does also a signature check to ensure that private
81    #               and public key matches
82    # You can use a combination of ca,crl, and signature flags, or just
83    # use "none".
84    cert_policy = ca,signature;
85
86    # What kind of token?
87    # The value of the token_type parameter will be used in the user prompt
88    # messages.   The default value is "Smart card".
89    token_type = "Smart card";
90  }
91
92  # Aladdin eTokenPRO 32
93  pkcs11_module etoken {
94    module = /usr/local/lib/libetpkcs11.so
95    description = "Aladdin eTokenPRO-32";
96    slot_num = 0;
97    support_threads = true;
98    ca_dir = /etc/pam_pkcs11/cacerts;
99    crl_dir = /etc/pam_pkcs11/crls;
100    cert_policy = ca,signature;
101  }
102
103  # NSS (Network Security Service) config
104  pkcs11_module nss {
105    nss_dir = /etc/ssl/nssdb;
106    crl_policy = none;
107  }
108
109  # Default pkcs11 module
110  pkcs11_module default {
111    module = /usr/lib/pam_pkcs11/pkcs11_module.so;
112    description = "Default pkcs#11 module";
113    slot_num = 0;
114    support_threads = false;
115    ca_dir = /etc/pam_pkcs11/cacerts;
116    crl_dir = /etc/pam_pkcs11/crls;
117    cert_policy = none;
118  }
119
120  # Which mappers ( Cert to login ) to use?
121  # you can use several mappers:
122  #
123  # subject - Cert Subject to login file based mapper
124  # pwent   - CN to getpwent() login or gecos fields mapper
125  # ldap    - LDAP mapper
126  # opensc  - Search certificate in ${HOME}/.eid/authorized_certificates
127  # openssh - Search certificate public key in ${HOME}/.ssh/authorized_keys
128  # mail    - Compare email fields from certificate
129  # ms      - Use Microsoft Universal Principal Name extension
130  # krb     - Compare againts Kerberos Principal Name
131  # cn      - Compare Common Name (CN)
132  # uid     - Compare Unique Identifier
133  # digest  - Certificate digest to login (mapfile based) mapper
134  # generic - User defined certificate contents mapped
135  # null    - blind access/deny mapper
136  #
137  # You can select a comma-separated mapper list.
138  # If used null mapper should be the last in the list :-)
139  # Also you should select at least one mapper, otherwise
140  # certificate will not match :-)
141  use_mappers = digest, cn, pwent, uid, mail, subject, null;
142
143  # When no absolute path or module info is provided, use this
144  # value as module search path
145  # TODO:
146  # This is not still functional: use absolute pathnames or LD_LIBRARY_PATH
147  mapper_search_path = /usr/lib/pam_pkcs11;
148
149  #
150  # Generic certificate contents mapper
151  mapper generic {
152        debug = true;
153        #module = /usr/lib/pam_pkcs11/generic_mapper.so;
154        module = internal;
155        # ignore letter case on match/compare
156        ignorecase = false;
157        # Use one of "cn" , "subject" , "kpn" , "email" , "upn" or "uid"
158        cert_item  = cn;
159        # Define mapfile if needed, else select "none"
160        mapfile = file:///etc/pam_pkcs11/generic_mapping;
161        # Decide if use getpwent() to map login
162        use_getpwent = false;
163  }
164
165  # Certificate Subject to login based mapper
166  # provided file stores one or more "Subject -> login" lines
167  mapper subject {
168        debug = false;
169        # module = /usr/lib/pam_pkcs11/subject_mapper.so;
170        module = internal;
171        ignorecase = false;
172        mapfile = file:///etc/pam_pkcs11/subject_mapping;
173  }
174
175  # Search public keys from $HOME/.ssh/authorized_keys to match users
176  mapper openssh {
177        debug = false;
178        module = /usr/lib/pam_pkcs11/openssh_mapper.so;
179  }
180
181  # Search certificates from $HOME/.eid/authorized_certificates to match users
182  mapper opensc {
183        debug = false;
184        module = /usr/lib/pam_pkcs11/opensc_mapper.so;
185  }
186
187  # Certificate Common Name ( CN ) to getpwent() mapper
188  mapper pwent {
189        debug = false;
190        ignorecase = false;
191        module = internal;
192        # module = /usr/lib/pam_pkcs11/pwent_mapper.so;
193  }
194
195  # Null ( no map ) mapper. when user as finder matchs to NULL or "nobody"
196  mapper null {
197        debug = false;
198        # module = /usr/lib/pam_pkcs11/null_mapper.so;
199        module = internal ;
200        # select behavior: always match, or always fail
201        default_match = false;
202        # on match, select returned user
203        default_user = nobody ;
204  }
205
206  # Directory ( ldap style ) mapper
207  mapper ldap {
208        debug = false;
209        module = /usr/lib/pam_pkcs11/ldap_mapper.so;
210        # hostname of ldap server (use LDAP-URI for more then one)
211        ldaphost = "";
212        # Port on ldap server to connect, this is also the default
213        #   if no port is given in URI below
214        #   if empty, then 389 for TLS and 636 for SSL is used
215        ldapport = ;
216        # space separted list of LDAP URIs (URIs are used by given order)
217        URI = "";
218        # Scope of search: 0-2
219        #   Default is 1 = "one", meaning the set of records one
220        #   level below the basedn.
221        #   0 = "base"  means search only the basedn, and
222        #   2 = "sub"  means the union of entries at the "base" level
223        #   and ? all or "one" level below ??? FIXME
224        scope = 2;
225        # DN to bind with. Must have read-access for user entries
226        # under "base"
227        binddn = "cn=pam,o=example,c=com";
228        # Password for above DN
229        passwd = "";
230        # Searchbase for user entries
231        base = "ou=People,o=example,c=com";
232        # Attribute of user entry which contains the certificate
233        attribute = "userCertificate";
234        # Searchfilter for user entry. Must only let pass user entry
235        # for the login user.
236        filter = "(&(objectClass=posixAccount)(uid=%s))"
237        # SSL/TLS-Switch
238        #   This is a global switch, you can't switch between
239        #   SSL or TLS and non secured connections per URI!
240        #   values: off (standard), tls or on (ssl) or ssl
241        ssl = tls
242        # SSL specific settings
243        # tls_randfile = ...
244        tls_cacertfile = /etc/ssl/cacert.pem
245        # tls_cacertdir = ...
246        tls_checkpeer = 0
247        #tls_ciphers = ...
248        #tls_cert = ...
249        #tls_key = ...
250  }
251
252  # Assume common name (CN) to be the login
253  mapper cn {
254        debug = false;
255        module = internal;
256        # module = /usr/lib/pam_pkcs11/cn_mapper.so;
257        ignorecase = true;
258        # mapfile = file:///etc/pam_pkcs11/cn_map;
259        mapfile = "none";
260  }
261
262  # mail -  Compare email field from certificate
263  mapper mail {
264        debug = false;
265        module = internal;
266        # module = /usr/lib/pam_pkcs11/mail_mapper.so;
267        # Declare mapfile or
268        # leave empty "" or "none" to use no map
269        mapfile = file:///etc/pam_pkcs11/mail_mapping;
270        # Some certs store email in uppercase. take care on this
271        ignorecase = true;
272        # Also check that host matches mx domain
273        # when using mapfile this feature is ignored
274        ignoredomain = false;
275  }
276
277  # ms - Use Microsoft Universal Principal Name extension
278  # UPN is in format login@ADS_Domain. No map is needed, just
279  # check domain name.
280  mapper ms {
281        debug = false;
282        module = internal;
283        # module = /usr/lib/pam_pkcs11/ms_mapper.so;
284        ignorecase = false;
285        ignoredomain = false;
286        domain = "domain.com";
287  }
288
289  # krb  - Compare againts Kerberos Principal Name
290  mapper krb {
291        debug = false;
292        module = internal;
293        # module = /usr/lib/pam_pkcs11/krb_mapper.so;
294        ignorecase = false;
295        mapfile = "none";
296  }
297
298  # uid  - Maps Subject Unique Identifier field (if exist) to login
299  mapper uid {
300        debug = false;
301        module = internal;
302        # module = /usr/lib/pam_pkcs11/uid_mapper.so;
303        ignorecase = false;
304        mapfile = "none";
305  }
306
307  # digest - elaborate certificate digest and map it into a file
308  mapper digest {
309        debug = false;
310        module = internal;
311        # module = /usr/lib/pam_pkcs11/digest_mapper.so;
312        # algorithm used to evaluate certificate digest
313        # Select one of:
314        # "null","md2","md4","md5","sha","sha1","dss","dss1","ripemd160"
315        algorithm = "sha1";
316        mapfile = file:///etc/pam_pkcs11/digest_mapping;
317        # mapfile = "none";
318  }
319
320}
Note: See TracBrowser for help on using the browser.