pam_pkcs11(5) Standards, Environments, and Macros pam_pkcs11(5)NAMEpam_pkcs11 - PAM Authentication Module for the PKCS#11 token libraries
SYNOPSIS
pam_pkcs11.so [debug] [config_file=filename]
DESCRIPTION
The pam_pkcs11 module implements pam_sm_authenticate(3PAM), which pro‐
vides functionality to the PAM authentication stack. This module allows
a user to login a system, using a X.509 certificate and its dedicated
private key stored in a PKCS#11 token. This module currently supports
the RSA algorithm only.
To verify the dedicated private key is truly associated with the X.509
certificate, the following verification procedure is performed in this
module by default:
o Generate 128 random byte data
o Sign the random data with the private key and get a signa‐
ture. This step is done in the PKCS#11 token.
o Verify the signature using the public key extracted from the
certificate.
For the verification of the users' certificates, locally stored CA cer‐
tificates as well as either online or locally accessible CRLs are used.
PAM CONFIGURATION
The pam_pkcs11.so service module can be used in the <auth> PAM chain.
The program that needs a PAM service should be configured in the
/etc/pam.conf file. For details on how to configure PAM services, see
pam.conf(4).
The following example uses only pam_pkcs11 for authentication:
login auth requisite pam_pkcs11.so.1
login autho required pam_unix_cred.so.1
The following example uses pam_pkcs11 for authentication with fallback
to standard UNIX authentication:
login auth sufficient pam_pkcs11.so.1
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth required pam_unix_auth.so.1
PAM_PKCS11 CONFIGURATION
To configure the pam_pkcs11 module, you must have the following infor‐
mation:
o Which PKCS #11 token you are going to use
o Which mapper(s) you need, and if needed, how to create and
edit the related mapping files
o The root Certificate Authority files, and if required, the
Certificate Revocation Lists files
o The list of authorized users to login, and their correspond‐
ing certificates
To configure the pam_pkcs11 module, you need to modify the
pam_pkcs11.conf configuration file which is in the /etc/secu‐
rity/pam_pkcs11 directory by default. For detailed information on how
to configure the pam_pkcs11 module, see the PAM-PKCS11 User Manual,
available at the http://www.opensc-project.org/ web site, under the PAM
PKCS#11 link.
The following example illustrates how to configure the pam_pkcs11 mod‐
ule for a user whose certificate and private key are stored in the
Solaris pkcs11_softtoken keystore. This example uses the default cer‐
tificate verification policy.
o Set up the PKCS#11 module.
On Solaris, the PKCS#11 module should be set to
/usr/lib/libpkcs11.so.1, the PKCS#11 Cryptographic Framework
library.
o Set up the slot_description entry.
Specifies the slot to be used. For example, slot_description
= "Sun Crypto Softtoken". The default value for this entry
is none which means to use the first slot with an available
token.
An administrator can use the cryptoadm list -vcommand to
find all the available slots and their slot descriptions.
For more information, see libpkcs11(3LIB) and cryptoadm(1M).
o Install or create user certificates and its dedicated pri‐
vate keys in the specific PKCS#11 token.
o Set up the certificate verification policy (cert_policy). If
needed, set up CA certificate and CRL files.
The certificate verification policy includes:
none Perform no verification
ca Perform CA check
signature Perform a signature check to ensure that pri‐
vate and public key matches
crl_xxx Perform various certificate revocation checking
As this example uses the default policy, cert_policy = ca,signa‐
ture, an administer needs to set up the CA certificates.
o Copy the CA certificate to the /etc/secu‐
rity/pam_pkcs11/cacerts directory.
A certificate that is self-signed is its own CA certifi‐
cate. Therefore, in this example, the certificate is
placed both in the Softtoken keystore and in the CA cer‐
tificate directory.
o Make hash links for CA certificates
$ /etc/security/pam_pkcs11/make_hash_link.sh \
/etc/security/pam_pkcs11/cacerts
o Set up the mappers and mapfiles.
When a X509 certificate is provided, there are no direct
ways to map a certificate to a login. The pam_pkcs11 module
provides a configurable way with mappers to specify cert-to-
user mapping.
Many mappers are provided by the pam_pkcs11 module, for
example, the common name (CN) mapper, the digest mapper, the
Email mapper, or the LDAP mapper.
A user can configure a mapper list in the pam_pkcs11.conf
file. The mappers in the list are used sequentially until
the certificate is successfully matched with the user.
The default mapper list is as follows:
use_mappers = digest, cn, pwent, uid, mail, subject, null;
Some mappers do not require the specification of a mapfile,
for example, the common name mapper. Other mappers require
mapfiles, for example, the digest mapper. Some sample map‐
ping files can be found in the /etc/security/pam_pkcs11
directory.
OPTIONS
The following options are supported:
config_file=filename Specify the configuration file. The default
value is /etc/secu‐
rity/pam_pkcs11/pam_pkcs11.conf.
debug Enable debugging output.
FILES
/usr/lib/security/pam_pkcs11.so
pam_pkcs11 module
/usr/lib/pam_pkcs11/ldap_mapper.so
Mapper module.
/usr/lib/pam_pkcs11/opensc_mapper.so
Mapper module.
/usr/lib/pam_pkcs11/openssh_mapper.so
Mapper module.
/etc/security/pam_pkcs11/pam_pkcs11.conf
Configuration file.
/etc/security/pam_pkcs11/cacerts
Configuration directory. Stores the CA certificates.
/etc/security/pam_pkcs11/crls
Configuration directory. Stores the CRL files.
/etc/security/pam_pkcs11/digest_mapping.example
Sample mapfile.
/etc/security/pam_pkcs11/subject_mapping.example
Sample mapfile.
/etc/security/pam_pkcs11/mail_mapping.example
Sample mapfile.
/etc/security/pam_pkcs11/make_hash_link.sh
Sample script.
AUTHORS
PAM-pkcs11 was originally written by MarioStrasser , mast@gmx.net.
Newer versions are from Juan Antonio Martinez, jonsito@teleline.es
ATTRIBUTES
See attributes(5) for a description of the following attributes:
┌─────────────────────────────┬─────────────────────────────┐
│ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
├─────────────────────────────┼─────────────────────────────┤
│Availability │library/security/pam/mod‐ │
│ │ule/pam-pkcs11, SUNWpamp‐ │
│ │kcs11r, SUNWpampkcs11-docs │
├─────────────────────────────┼─────────────────────────────┤
│Interface Stability │Uncommitted │
└─────────────────────────────┴─────────────────────────────┘
SEE ALSOpkcs11_inspect(1), pklogin_finder(1), cryptoadm(1M), libp‐
kcs11(3LIB)libpkcs11(3LIB)pam_sm_authenticate(3PAM), pam.conf(4),
attributes(5), pkcs11_softtoken(5)
PAM-PKCS11 User Manual, available at the http://www.opensc-project.org/
web site, under the PAM PKCS#11 link.
SunOS 5.11 21 Jul 2008 pam_pkcs11(5)