[[Image(http://oasis.dit.upm.es/~jantonio/pam-pkcs11/pam-pkcs11.png)]]
== PKCS !#11 PAM Login Tools ==
----
{{{
#!html
Description
License
Download
Installation
Configuration
Documentation
Contact
}}}
{{{
#!html
}}}
=== Description ===
This Linux-PAM login module allows a X.509 certificate based user login. The certificate and its dedicated private key are thereby accessed by means of an appropriate PKCS !#11 module. For the verification of the users' certificates, locally stored CA certificates as well as either online or locally accessible CRLs are used.
Detailed information about the Linux-PAM system can be found in [http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/Linux-PAM_SAG.html The Linux-PAM System Administrators' Guide], [http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/Linux-PAM_MWG.html The Linux-PAM Module Writers' Guide] and [http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/Linux-PAM_ADG.html The Linux-PAM Application Developers' Guide]. The specification of the Cryptographic Token Interface Standard (PKCS !#11) is available at [http://www.rsa.com/rsalabs/node.asp?id=2133 PKCS #11 - Cryptographic Token Interface Standard].
PAM-PKCS!#11 package provides:
* A PAM module able to:
* Use certificates to get user credentials
* Deduce a login based on provided certificate
* Several tools:
* Standalone cert-to-login finder tool
* Certificate contents viewer
* Card Event status monitor, to trigger actions on card insert/removal
You can read the online [http://www.opensc-project.org/doc/pam_pkcs11/pam_pkcs11.html PAM-PKCS11 User Manual] to know how to install, configure and use this software.
==== PKCS !#11 Module Requirements ====
The PKCS !#11 modules must fulfill the requirements given by the RSA Asymmetric Client Signing Profile, which has been specified in the [http://www.rsa.com/rsalabs/node.asp?id=2133 PKCS #11: Conformance Profile Specification] by RSA Laboratories.
==== User Matching ====
To map the ownership of a certificate into a user login, pam-pkcs11 uses the concept of ''mapper'' that is, a list of configurable, stackable list of dynamic modules, each one trying to do a specific cert-to-login maping. Several mappers are provided:
* the common name of the subject matches the login name
* the unique identifier of the subject matches the login name
* the user part of an e-mail subject alternative name extension matches the login name
* the Microsoft universal principal name extension matches the login name
* etc...(see documentation on provided mappers)
Many mappers may use also a ''mapfile'' to translate Certificate contents to a login name.
{{{
#!html
}}}
=== License ===
* Copyright © 2003-2004 Mario Strasser
* Copyright © 2005 Juan Antonio Martinez
* Copyright © 2005-2007 Ludovic Rousseau
This library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version.
This library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public License along with this library; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
{{{
#!html
}}}
=== Download ===
* [http://www.opensc-project.org/files/pam_pkcs11/pam_pkcs11-0.6.3.tar.gz pam_pkcs11-0.6.3.tar.gz ] (1070 Kbyte, "md5sum -b" hash: 13650b32474c1a2e40e9ec09034cd4d0)
* Older versions, and beta releases are available [http://www.opensc-project.org/files/pam_pkcs11]
Provided RPM versions are for RedHat/Fedora Distributions, and may not properly install in other distributions.
{{{
#!html
}}}
=== Installation ===
Unpack the archive, configure, compile and install it:
{{{
$ tar xvzf pkcs11_login-X.Y.Z.tar.gz
$ cd pkcs11_login-X.Y.Z
$ ./configure
$ make
$ sudo make install
}}}
If you want to use [http://curl.haxx.se/libcurl/ lib cURL] instead of our native URI-functions for downloading CRLs, add '''--with-curl''' to the '''./configure''' call:
{{{
$ ./configure --with-curl
}}}
However, up to now cURL is not able to handle binary LDAP replies and thus CRL download might not work for all LDAP URIs.
Next, you have to create the needed openssl-hash-links.
{{{
# make_hash_link.sh
# make_hash_link.sh
}}}
Alternatively, you can use provided binary and source rpm files to install.
{{{
#!html
}}}
=== Configuration ===
See [http://www.opensc-project.org/doc/pam_pkcs11/pam_pkcs11.html PAM-PKCS#11 User Manual] to configure and set up pam_pkcs11.
See [http://www.opensc-project.org/doc/pam_pkcs11/mappers_api.html PAM-PKCS11 Mappers API] to get advanced information on mappers (mainly for developpers).
{{{
#!html
}}}
=== Documentation ===
* Online Manuals
* [source:trunk/NEWS NEWS ] and [source:trunk/TODO TODO] files
* [source:trunk/ChangeLog ChangeLog]
* [http://www.opensc-project.org/doc/pam_pkcs11/pam_pkcs11.html PAM-PKCS#11 User Manual]
* [http://www.opensc-project.org/doc/pam_pkcs11/mappers_api.html PAM-PKCS#11 Mappers API Reference]
* Man pages
* [wiki:PamPkcs11 pam_pkcs11(8)]
* [wiki:CardEventmgr card_eventmgr(1)]
* [wiki:Pkcs11Eventmgr pkcs11_eventmgr(1)]
* [wiki:PkloginFinder pklogin_finder(1)]
* [wiki:Pkcs11Inspect pkcs11_inspect(1)]
{{{
#!html
}}}
=== Contact ===
Any comments, suggestions and bug reports are welcome.
* [mailto:opensc-devel@lists.opensc-project.org OpenSC Devel list opensc-devel@lists.opensc-project.org]
----
PKCS !#11 PAM Login Module - http://www.opensc-project.org/pam_pkcs11 - Copyright © 2003-2004 Mario Strasser, 2005 Juan A. Martinez