1# 2# Configuration file for pam_pkcs11 module 3# 4# Version 0.4 5# Author: Juan Antonio Martinez <jonsito@teleline.es> 6# 7pam_pkcs11 { 8 # Allow empty passwords 9 nullok = true; 10 11 # Enable debugging support. 12 debug = true; 13 14 # Do not prompt the user for the passwords but take them from the 15 # PAM_ items instead. 16 use_first_pass = false; 17 18 # Do not prompt the user for the passwords unless PAM_(OLD)AUTHTOK 19 # is unset. 20 try_first_pass = false; 21 22 # Like try_first_pass, but fail if the new PAM_AUTHTOK has not been 23 # previously set (intended for stacking password modules only). 24 use_authtok = false; 25 26 # card_only means: 27 # 1) always get the userid from the certificate. 28 # 2) don't prompt for the user name if the card is present. 29 # 3) if the token is present, then we must use the cardAuth mechanism. 30 card_only = false; 31 32 # wait_for_card means: 33 # 1) nothing if card_only isn't set 34 # 2) if logged in, block in pam conversation until the token used for login 35 # is inserted 36 # 3) if not logged in, block until a token that could be used for logging in 37 # is inserted 38 # right now, logged in means PKC11_LOGIN_TOKEN_NAME is set, 39 # but we could something else later (like set some per-user state in 40 # a pam session module keyed off uid) 41 wait_for_card = false; 42 43 # List of screen saver services. 44 # This list is only parsed if card_only is set. Basically the screen saver 45 # will bypass pam_pkcs11 if a token was not used to login (The basic idea is 46 # you always unlock the screen saver with the same mechanism you used to 47 # login). 48 screen_savers = xfce4-screensaver, mate-screensaver, gnome-screensaver, kde4-kscreensaver, kscreensaver, xscreensaver; 49 50 # Filename of the PKCS #11 module. The default value is "default" 51 use_pkcs11_module = opensc; 52 53 pkcs11_module opensc { 54 module = /usr/local/lib/opensc-pkcs11.so; 55 description = "OpenSC PKCS#11 module"; 56 57 # Which slot to use? 58 # You can use "slot_num" or "slot_description", but not both, to specify 59 # the slot to use. Using "slot_description" is preferred because the 60 # PKCS#11 specification does not guarantee slot ordering. "slot_num" should 61 # only be used with those PKCS#11 implementations that guarantee 62 # constant slot numbering. 63 # 64 # slot_description = "xxxx" 65 # The slot is specified by the slot description, for example, 66 # slot_description = "Sun Crypto Softtoken". The default value is 67 # "none" which means to use the first slot with an available token. 68 # 69 # slot_num = a_number 70 # The slot is specified by the slot number, for example, slot_num = 1. 71 # The default value is zero which means to use the first slot with an 72 # available token. 73 # 74 slot_description = "none"; 75 76 # Where are CA certificates stored? 77 # You can setup this value to: 78 # 1- A directory with openssl hash-links to all certificates 79 # 2- A CA file in PEM (.pem) or ASN1 (.cer) format, 80 # containing all allowed CA certs 81 # The default value is /usr/local/etc/pam_pkcs11/cacerts. 82 ca_dir = /usr/local/etc/pam_pkcs11/cacerts; 83 84 # Path to the directory where the local (offline) CRLs are stored. 85 # Same convention as above is applied: you can choose either 86 # hash-link directory or CRL file 87 # The default value is /usr/local/etc/pam_pkcs11/crls. 88 crl_dir = /usr/local/etc/pam_pkcs11/crls; 89 90 # Some pcks#11 libraries can handle multithreading. So 91 # set it to true to properly call C_Initialize() 92 support_threads = false; 93 94 # Sets the Certificate verification policy. 95 # "none" Performs no verification 96 # "ca" Does CA check 97 # "crl_online" Downloads the CRL form the location given by the 98 # CRL distribution point extension of the certificate 99 # "crl_offline" Uses the locally stored CRLs 100 # "crl_auto" Is a combination of online and offline; it first 101 # tries to download the CRL from a possibly given CRL 102 # distribution point and if this fails, uses the local 103 # CRLs 104 # "signature" Does also a signature check to ensure that private 105 # and public key matches 106 # You can use a combination of ca,crl, and signature flags, or just 107 # use "none". 108 cert_policy = ca,signature; 109 110 # What kind of token? 111 # The value of the token_type parameter will be used in the user prompt 112 # messages. The default value is "Smart card". 113 token_type = "Smart card"; 114 } 115 116 # Aladdin eTokenPRO 32 117 pkcs11_module etoken { 118 module = /usr/local/lib/libetpkcs11.so 119 description = "Aladdin eTokenPRO-32"; 120 slot_num = 0; 121 support_threads = true; 122 ca_dir = /usr/local/etc/pam_pkcs11/cacerts; 123 crl_dir = /usr/local/etc/pam_pkcs11/crls; 124 cert_policy = ca,signature; 125 } 126 127 # NSS (Network Security Service) config 128 pkcs11_module nss { 129 nss_dir = /etc/ssl/nssdb; 130 crl_policy = none; 131 } 132 133 # Default pkcs11 module 134 pkcs11_module default { 135 module = @libdir@/pam_pkcs11/pkcs11_module.so; 136 description = "Default pkcs#11 module"; 137 slot_num = 0; 138 support_threads = false; 139 ca_dir = /usr/local/etc/pam_pkcs11/cacerts; 140 crl_dir = /usr/local/etc/pam_pkcs11/crls; 141 cert_policy = none; 142 } 143 144 # Which mappers ( Cert to login ) to use? 145 # you can use several mappers: 146 # 147 # subject - Cert Subject to login file based mapper 148 # pwent - CN to getpwent() login or gecos fields mapper 149 # ldap - LDAP mapper 150 # opensc - Search certificate in ${HOME}/.eid/authorized_certificates 151 # openssh - Search certificate public key in ${HOME}/.ssh/authorized_keys 152 # mail - Compare email fields from certificate 153 # ms - Use Microsoft Universal Principal Name extension 154 # krb - Compare againts Kerberos Principal Name 155 # cn - Compare Common Name (CN) 156 # uid - Compare Unique Identifier 157 # digest - Certificate digest to login (mapfile based) mapper 158 # generic - User defined certificate contents mapped 159 # null - blind access/deny mapper 160 # 161 # You can select a comma-separated mapper list. 162 # If used null mapper should be the last in the list :-) 163 # Also you should select at least one mapper, otherwise 164 # certificate will not match :-) 165 use_mappers = digest, cn, pwent, uid, mail, subject, null; 166 167 # When no absolute path or module info is provided, use this 168 # value as module search path 169 # TODO: 170 # This is not still functional: use absolute pathnames or LD_LIBRARY_PATH 171 mapper_search_path = @libdir@/pam_pkcs11; 172 173 # 174 # Generic certificate contents mapper 175 mapper generic { 176 debug = true; 177 #module = @libdir@/pam_pkcs11/generic_mapper.so; 178 module = internal; 179 # ignore letter case on match/compare 180 ignorecase = false; 181 # Use one of "cn" , "subject" , "kpn" , "email" , "upn" , "uid" or "serial" 182 cert_item = cn; 183 # Define mapfile if needed, else select "none" 184 mapfile = file:///usr/local/etc/pam_pkcs11/generic_mapping; 185 # Decide if use getpwent() to map login 186 use_getpwent = false; 187 } 188 189 # Certificate Subject to login based mapper 190 # provided file stores one or more "Subject -> login" lines 191 mapper subject { 192 debug = false; 193 # module = @libdir@/pam_pkcs11/subject_mapper.so; 194 module = internal; 195 ignorecase = false; 196 mapfile = file:///usr/local/etc/pam_pkcs11/subject_mapping; 197 } 198 199 # Search public keys from $HOME/.ssh/authorized_keys to match users 200 mapper openssh { 201 debug = false; 202 module = @libdir@/pam_pkcs11/openssh_mapper.so; 203 } 204 205 # Search certificates from $HOME/.eid/authorized_certificates to match users 206 mapper opensc { 207 debug = false; 208 module = @libdir@/pam_pkcs11/opensc_mapper.so; 209 } 210 211 # Certificate Common Name ( CN ) to getpwent() mapper 212 mapper pwent { 213 debug = false; 214 ignorecase = false; 215 module = internal; 216 # module = @libdir@/pam_pkcs11/pwent_mapper.so; 217 } 218 219 # Null ( no map ) mapper. when user as finder matchs to NULL or "nobody" 220 mapper null { 221 debug = false; 222 # module = @libdir@/pam_pkcs11/null_mapper.so; 223 module = internal ; 224 # select behavior: always match, or always fail 225 default_match = false; 226 # on match, select returned user 227 default_user = nobody ; 228 } 229 230 # Directory ( ldap style ) mapper 231 mapper ldap { 232 debug = false; 233 module = @libdir@/pam_pkcs11/ldap_mapper.so; 234 # hostname of ldap server (use LDAP-URI for more then one) 235 ldaphost = ""; 236 # Port on ldap server to connect, this is also the default 237 # if no port is given in URI below 238 # if empty, then 389 for TLS and 636 for SSL is used 239 ldapport = ; 240 # space separted list of LDAP URIs (URIs are used by given order) 241 URI = ""; 242 # Scope of search: 0-2 243 # Default is 1 = "one", meaning the set of records one 244 # level below the basedn. 245 # 0 = "base" means search only the basedn, and 246 # 2 = "sub" means the union of entries at the "base" level 247 # and ? all or "one" level below ??? FIXME 248 scope = 2; 249 # DN to bind with. Must have read-access for user entries 250 # under "base" 251 binddn = "cn=pam,o=example,c=com"; 252 # Password for above DN 253 passwd = ""; 254 # Searchbase for user entries 255 base = "ou=People,o=example,c=com"; 256 # Attribute of user entry which contains the certificate 257 attribute = "userCertificate"; 258 # Searchfilter for user entry. Must only let pass user entry 259 # for the login user. 260 filter = "(&(objectClass=posixAccount)(uid=%s))" 261 # SSL/TLS-Switch 262 # This is a global switch, you can't switch between 263 # SSL or TLS and non secured connections per URI! 264 # values: off (standard), tls or on (ssl) or ssl 265 ssl = tls 266 # SSL specific settings 267 # tls_randfile = ... 268 tls_cacertfile = /etc/ssl/cacert.pem 269 # tls_cacertdir = ... 270 tls_checkpeer = 0 271 #tls_ciphers = ... 272 #tls_cert = ... 273 #tls_key = ... 274 } 275 276 # Assume common name (CN) to be the login 277 mapper cn { 278 debug = false; 279 module = internal; 280 # module = @libdir@/pam_pkcs11/cn_mapper.so; 281 ignorecase = true; 282 # mapfile = file:///usr/local/etc/pam_pkcs11/cn_map; 283 mapfile = "none"; 284 } 285 286 # mail - Compare email field from certificate 287 mapper mail { 288 debug = false; 289 module = internal; 290 # module = @libdir@/pam_pkcs11/mail_mapper.so; 291 # Declare mapfile or 292 # leave empty "" or "none" to use no map 293 mapfile = file:///usr/local/etc/pam_pkcs11/mail_mapping; 294 # Some certs store email in uppercase. take care on this 295 ignorecase = true; 296 # Also check that host matches mx domain 297 # when using mapfile this feature is ignored 298 ignoredomain = false; 299 } 300 301 # ms - Use Microsoft Universal Principal Name extension 302 # UPN is in format login@ADS_Domain. No map is needed, just 303 # check domain name. 304 mapper ms { 305 debug = false; 306 module = internal; 307 # module = @libdir@/pam_pkcs11/ms_mapper.so; 308 ignorecase = false; 309 ignoredomain = false; 310 domainname = "domain.com"; 311 } 312 313 # krb - Compare againts Kerberos Principal Name 314 mapper krb { 315 debug = false; 316 module = internal; 317 # module = @libdir@/pam_pkcs11/krb_mapper.so; 318 ignorecase = false; 319 mapfile = "none"; 320 } 321 322 # uid - Maps Subject Unique Identifier field (if exist) to login 323 mapper uid { 324 debug = false; 325 module = internal; 326 # module = @libdir@/pam_pkcs11/uid_mapper.so; 327 ignorecase = false; 328 mapfile = "none"; 329 } 330 331 # digest - elaborate certificate digest and map it into a file 332 mapper digest { 333 debug = false; 334 module = internal; 335 # module = @libdir@/pam_pkcs11/digest_mapper.so; 336 # algorithm used to evaluate certificate digest 337 # Select one of: 338 # "null","md2","md4","md5","sha","sha1","dss","dss1","ripemd160" 339 algorithm = "sha1"; 340 mapfile = file:///usr/local/etc/pam_pkcs11/digest_mapping; 341 # mapfile = "none"; 342 } 343 344} 345