For new content and tickets please use the main OpenSC Trac (direct link)
This Linux-PAM login module allows a X.509 certificate based user login. The certificate and its dedicated private key are thereby accessed by means of an appropriate PKCS #11 module. For the verification of the users' certificates, locally stored CA certificates as well as either online or locally accessible CRLs are used.
Detailed information about the Linux-PAM system can be found in The Linux-PAM System Administrators' Guide, The Linux-PAM Module Writers' Guide and The Linux-PAM Application Developers' Guide. The specification of the Cryptographic Token Interface Standard (PKCS #11) is available at PKCS #11 - Cryptographic Token Interface Standard.
PAM-PKCS#11 package provides:
You can read the online PAM-PKCS11 User Manual to know how to install, configure and use this software.
The PKCS #11 modules must fulfill the requirements given by the RSA Asymmetric Client Signing Profile, which has been specified in the PKCS #11: Conformance Profile Specification by RSA Laboratories.
To map the ownership of a certificate into a user login, pam-pkcs11 uses the concept of mapper that is, a list of configurable, stackable list of dynamic modules, each one trying to do a specific cert-to-login maping. Several mappers are provided:
Many mappers may use also a mapfile to translate Certificate contents to a login name.
This library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version.
This library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public License along with this library; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
Provided RPM versions are for RedHat/Fedora Distributions, and may not properly install in other distributions.
Unpack the archive, configure, compile and install it:
$ tar xvzf pkcs11_login-X.Y.Z.tar.gz $ cd pkcs11_login-X.Y.Z $ ./configure $ make $ sudo make install
If you want to use lib cURL instead of our native URI-functions for downloading CRLs, add --with-curl to the ./configure call:
$ ./configure --with-curl
However, up to now cURL is not able to handle binary LDAP replies and thus CRL download might not work for all LDAP URIs.
Next, you have to create the needed openssl-hash-links.
# make_hash_link.sh <path to the directory with the CA certificates> # make_hash_link.sh <path to the directory with the CRLs>
Alternatively, you can use provided binary and source rpm files to install.
See PAM-PKCS#11 User Manual to configure and set up pam_pkcs11.
See PAM-PKCS11 Mappers API to get advanced information on mappers (mainly for developpers).
Any comments, suggestions and bug reports are welcome.
PKCS #11 PAM Login Module - http://www.opensc-project.org/pam_pkcs11 - Copyright © 2003-2004 Mario Strasser, 2005 Juan A. Martinez
