PAM-PKCS#11 Login Tools

Table of Contents

  1. Description
    1. PKCS#11 Module Requirements
    2. User Matching
  2. License
  3. Download
  4. Installation
  5. Configuration
  6. Documentation
  7. Contact

Description

This Linux-PAM login module allows a X.509 certificate based user login. The certificate and its dedicated private key are thereby accessed by means of an appropriate PKCS #11 module. For the verification of the users' certificates, locally stored CA certificates as well as either online or locally accessible CRLs are used.

Detailed information about the Linux-PAM system can be found in  The Linux-PAM System Administrators' Guide,  The Linux-PAM Module Writers' Guide and  The Linux-PAM Application Developers' Guide. The specification of the Cryptographic Token Interface Standard (PKCS#11) is available at  PKCS#11 - Cryptographic Token Interface Standard.

PAM-PKCS#11 package provides:

You can read the online PAM-PKCS#11 User Manual to know how to install, configure and use this software.

PKCS#11 Module Requirements

The PKCS #11 modules must fulfill the requirements given by the RSA Asymmetric Client Signing Profile, which has been specified in the  PKCS #11: Conformance Profile Specification by RSA Laboratories.

User Matching

To map the ownership of a certificate into a user login, pam-pkcs11 uses the concept of mapper that is, a list of configurable, stackable list of dynamic modules, each one trying to do a specific cert-to-login maping. Several mappers are provided:

Many mappers may use also a mapfile to translate Certificate contents to a login name.

License

This library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version.

This library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.

You should have received a copy of the GNU Lesser General Public License along with this library; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA

Download

RPM packages? are available for RedHat/Fedora Distributions, and may not properly install in other distributions.

Installation

Unpack the archive, configure, compile and install it: 

$ tar xvzf pkcs11_login-X.Y.Z.tar.gz
$ cd pkcs11_login-X.Y.Z
$ ./configure
$ make
$ sudo make install

If you want to use  lib cURL instead of our native URI-functions for downloading CRLs, add --with-curl to the ./configure call: 

$ ./configure --with-curl

However, up to now cURL is not able to handle binary LDAP replies and thus CRL download might not work for all LDAP URIs.

Next, you have to create the needed openssl-hash-links. 

# make_hash_link.sh <path to the directory with the CA certificates>
# make_hash_link.sh <path to the directory with the CRLs>

Alternatively, you can use provided binary and source rpm files to install.

Configuration

See PAM-PKCS#11 User Manual to configure and set up pam_pkcs11.

See PAM-PKCS#11 Mappers API to get advanced information on mappers (mainly for developpers).

Documentation

Contact

GetInvolved in development! All comments, suggestions and bug reports are welcome.

Attachments

Back to Index