File: QuickStart.html

package info (click to toggle)
pam-p11 0.1.2-3
  • links: PTS
  • area: main
  • in suites: etch, etch-m68k
  • size: 1,472 kB
  • ctags: 55
  • sloc: sh: 8,398; ansic: 684; makefile: 45
file content (122 lines) | stat: -rw-r--r-- 5,226 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
 
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:html="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>QuickStart - pam_p11 - Trac</title><style type="text/css">
           @import url(trac.css);
          </style></head><body><div class="wikipage">
    <div id="searchable"><h1>Installing pam_p11</h1>
<p>
Installation is quite easy:
</p>
<pre class="wiki" xml:space="preserve">wget http://www.opensc.org/files/pam_p11-0.1.tar.gz
tar xfvz pam_p11-0.1.tar.gz
cd pam_p11-0.1
./configure --prefix=/usr --libdir=/lib/
make
make install
</pre><p>
is all you need. Pam_p11 depends on pkg-config, openssl, libp11 and pam.
If you don't have pkg-config installed, please do so and try again.
If pkg-config is not found, please change your PATH environment setting.
If openssl is not installed, please do so. If openssl is not found, please
change your PKG_CONFIG_PATH environment setting to include the directory
with "openssl.pc" or "libp11.pc" file. Some linux distributions split
openssl into a runtime package and a development package, you need to
install both. Same might be true for pam and libp11.
</p>
<h1>Using pam_p11_opensc</h1>
<p>
To use pam_p11_opensc with some application like login, edit /etc/pam.d/login
and replace
</p>
<pre class="wiki" xml:space="preserve">auth       required   pam_unix.so nullok
</pre><p>
with
</p>
<pre class="wiki" xml:space="preserve">auth       required   pam_p11_opensc.so /usr/lib/opensc-pkcs11.so
</pre><p>
Replace <tt>/usr/lib/opensc-pkcs11.so</tt> with your PKCS#11 implementation.
</p>
<p>
Also while testing it is best to keep a door open, i.e. allow also
login via passwords. To try pam_p11_opensc first and then password put
into your pam configuration:
</p>
<pre class="wiki" xml:space="preserve">auth       sufficient   pam_p11_opensc.so /usr/lib/opensc-pkcs11.so
auth       required   pam_unix.so nullok
</pre><p>
Also each user needs to create a <tt>~/.eid/</tt> directory and create
a file <tt>~/.eid/authorized_certificates</tt>. You can do that via
</p>
<pre class="wiki" xml:space="preserve">mkdir ~/.eid
chmod 0755 ~/.eid
pkcs15-tool -r 45 &gt; ~/.eid/authorized_certificates
chmod 0644 ~/.eid/authorized_certificates
</pre><p>
This example uses the "pkcs15-tool" command from opensc to read the
default user certificate (id 45) from the smart card in reader 0.
</p>
<p>
It is very important that only the user of the file can write to it.
You can have any number of certificates in that file. The certificates
need to be in "pem" format. "der" format is currently not supported.
</p>
<p>
Pam_p11_opensc is the successor of the OpenSC pam_opensc module (eid mode).
It is 100% compatible, but has fewer bugs. Using pam_opensc is discouraged.
</p>
<h1>Using pam_p11_openssh</h1>
<p>
To use pam_p11_openssh with some application like login, edit /etc/pam.d/login
and replace
</p>
<pre class="wiki" xml:space="preserve">auth       required   pam_unix.so nullok
</pre><p>
with
</p>
<pre class="wiki" xml:space="preserve">auth       required   pam_p11_openssh.so /usr/lib/opensc-pkcs11.so
</pre><p>
Replace <tt>/usr/lib/opensc-pkcs11.so</tt> with your PKCS#11 implementation.
</p>
<p>
Also while testing it is best to keep a door open, i.e. allow also
login via passwords. To try pam_p11_opensc first and then password put
into your pam configuration:
</p>
<pre class="wiki" xml:space="preserve">auth       sufficient   pam_p11_openssh.so /usr/lib/opensc-pkcs11.so
auth       required   pam_unix.so nullok
</pre><p>
Also each user needs to create a <tt>~/.ssh/</tt> directory and create
a file <tt>~/.ssh/authorized_keys</tt>. You can do that via
</p>
<pre class="wiki" xml:space="preserve">mkdir ~/.ssh
chmod 0755 ~/.ssh
ssh-keygen -D 0 &gt; ~/.ssh/authorized_keys
chmod 0644 ~/.ssh/authorized_keys
</pre><p>
This example uses the "ssh-keygen" command from openssh to read the
default user public key (id 45) from the smart card in reader 0.
Note that this tool prints the public keys in two formats: ssh v1 and
ssh v2 format. It is recommended to edit the file and delete one of
those two lines. Also you might want to add a comment / identifier
at the end of the line.
</p>
<p>
It is very important that only the user of the file can write to it.
You can have any number of public keys in that file.
</p>
<p>
Note it is currently not possible to convert existing ssh keys into
pem format and store them on a smart card. (To be precise: OpenSC
has no such functionality, not sure about other implementations.)
</p>
<h2>Security Note</h2>
<p>
Both pam_p11 modules are plain, they simple compare rsa public keys
and request the cryptographic token to sign some random data and
verifiy the signature with the public key. No CA chain checking is done,
no CRL is looked at, and they don't know what OCSP is. This works fine
for small installations, but if you want any of those features, please
have a look at <a class="ext-link" title="http://www.opensc.org/pam_pkcs11" href="http://www.opensc.org/pam_pkcs11" shape="rect">Pam_pkcs11</a> for a fully
fledged pam module for smart card authentication.
</p>
</div>
   </div><div class="footer"><hr></hr><p><a href="index.html">Back to Index</a></p></div></body></html>