1 # |
|
2 # Configuration file for pam_pkcs11 module |
|
3 # |
|
4 # Original Author: Juan Antonio Martinez <[email protected]> |
|
5 # |
|
6 pam_pkcs11 { |
|
7 # Allow empty passwords |
|
8 nullok = true; |
|
9 |
|
10 # Enable debugging support. |
|
11 debug = true; |
|
12 |
|
13 # Filename of the PKCS #11 module. The default value is "default" |
|
14 use_pkcs11_module = default; |
|
15 |
|
16 pkcs11_module default { |
|
17 module = /usr/lib/libpkcs11.so; |
|
18 description = "Solaris PKCS#11 Cryptographic Framework library"; |
|
19 |
|
20 # Which slot to use? |
|
21 # You can use "slot_description" or "slot_num", but not both, to specify |
|
22 # the slot to use. Using "slot_description" is preferred because the |
|
23 # PKCS#11 specification does not guarantee slot ordering. "slot_num" should |
|
24 # only be used with those PKCS#11 implementations that guarantee |
|
25 # constant slot numbering. |
|
26 # |
|
27 # slot_description = "xxxx" |
|
28 # The slot is specified by the slot description, for example, |
|
29 # slot_description = "Sun Crypto Softtoken". The default value is |
|
30 # "none" which means to use the first slot with an available token. |
|
31 # |
|
32 # slot_num = a_number |
|
33 # The slot is specified by the slot number, for example, slot_num = 1. |
|
34 # The default value is zero which means to use the first slot with an |
|
35 # available token. |
|
36 # |
|
37 # On Solaris OS, an administrator can use the "cryotoadm list -v" command |
|
38 # to find all the available slots and their slot descriptions. For more |
|
39 # information, see the libpkcs11(3LIB) and cryptoadm(1m) man pages. |
|
40 # |
|
41 slot_description = "none"; |
|
42 |
|
43 # Where are CA certificates stored? |
|
44 # You can setup this value to: |
|
45 # 1- A directory with openssl hash-links to all certificates |
|
46 # 2- A CA file in PEM (.pem) or ASN1 (.cer) format, |
|
47 # containing all allowed CA certs |
|
48 # The default value is /etc/security/pam_pkcs11/cacerts. |
|
49 ca_dir = /etc/security/pam_pkcs11/cacerts; |
|
50 |
|
51 # Path to the directory where the local (offline) CRLs are stored. |
|
52 # Same convention as above is applied: you can choose either |
|
53 # hash-link directory or CRL file |
|
54 # The default value is /etc/security/pam_pkcs11/crls. |
|
55 crl_dir = /etc/security/pam_pkcs11/crls; |
|
56 |
|
57 # Some pcks#11 libraries can handle multithreading. So |
|
58 # set it to true to properly call C_Initialize() |
|
59 support_threads = false; |
|
60 |
|
61 # Sets the Certificate verification policy. |
|
62 # "none" Performs no verification |
|
63 # "ca" Does CA check |
|
64 # "crl_online" Downloads the CRL form the location given by the |
|
65 # CRL distribution point extension of the certificate |
|
66 # "crl_offline" Uses the locally stored CRLs |
|
67 # "crl_auto" Is a combination of online and offline; it first |
|
68 # tries to download the CRL from a possibly given CRL |
|
69 # distribution point and if this fails, uses the local |
|
70 # CRLs |
|
71 # "signature" Does also a signature check to ensure that private |
|
72 # and public key matches |
|
73 # You can use a combination of ca,crl, and signature flags, or just |
|
74 # use "none". |
|
75 # cert_policy = ca,signature; |
|
76 cert_policy = signature; |
|
77 |
|
78 # What kind of token? |
|
79 # The value of the token_type parameter will be used in the user prompt |
|
80 # messages. The default value is "Smart card". |
|
81 token_type = "Secure token"; |
|
82 } |
|
83 |
|
84 # Which mappers ( Cert to login ) to use? |
|
85 # you can use several mappers: |
|
86 # |
|
87 # subject - Cert Subject to login file based mapper |
|
88 # pwent - CN to getpwent() login or gecos fields mapper |
|
89 # ldap - LDAP mapper |
|
90 # opensc - Search certificate in ${HOME}/.eid/authorized_certificates |
|
91 # openssh - Search certificate public key in ${HOME}/.ssh/authorized_keys |
|
92 # mail - Compare email fields from certificate |
|
93 # ms - Use Microsoft Universal Principal Name extension |
|
94 # krb - Compare againts Kerberos Principal Name |
|
95 # cn - Compare Common Name (CN) |
|
96 # uid - Compare Unique Identifier |
|
97 # digest - Certificate digest to login (mapfile based) mapper |
|
98 # generic - User defined certificate contents mapped |
|
99 # null - blind access/deny mapper |
|
100 # |
|
101 # You can select a comma-separated mapper list. |
|
102 # If used null mapper should be the last in the list :-) |
|
103 # Also you should select at least one mapper, otherwise |
|
104 # certificate will not match :-) |
|
105 # use_mappers = digest, cn, pwent, uid, mail, subject, null; |
|
106 use_mappers = cn; |
|
107 |
|
108 # When no absolute path or module info is provided, use this |
|
109 # value as module search path |
|
110 # TODO: |
|
111 # This is not still functional: use absolute pathnames or LD_LIBRARY_PATH |
|
112 mapper_search_path = /usr/lib/pam_pkcs11; |
|
113 |
|
114 # |
|
115 # Generic certificate contents mapper |
|
116 mapper generic { |
|
117 debug = true; |
|
118 module = internal; |
|
119 # ignore letter case on match/compare |
|
120 ignorecase = false; |
|
121 # Use one of "cn" , "subject" , "kpn" , "email" , "upn" or "uid" |
|
122 cert_item = cn; |
|
123 # Define mapfile if needed, else select "none" |
|
124 mapfile = file:///etc/security/pam_pkcs11/generic_mapping |
|
125 # Decide if use getpwent() to map login |
|
126 use_getpwent = false; |
|
127 } |
|
128 |
|
129 # Certificate Subject to login based mapper |
|
130 # provided file stores one or more "Subject -> login" lines |
|
131 mapper subject { |
|
132 debug = false; |
|
133 module = internal; |
|
134 ignorecase = false; |
|
135 mapfile = file:///etc/security/pam_pkcs11/subject_mapping; |
|
136 } |
|
137 |
|
138 # Search public keys from $HOME/.ssh/authorized_keys to match users |
|
139 mapper openssh { |
|
140 debug = false; |
|
141 module = /usr/lib/pam_pkcs11/openssh_mapper.so; |
|
142 } |
|
143 |
|
144 # Search certificates from $HOME/.eid/authorized_certificates to match users |
|
145 mapper opensc { |
|
146 debug = false; |
|
147 module = /usr/lib/pam_pkcs11/opensc_mapper.so; |
|
148 } |
|
149 |
|
150 # Certificate Common Name ( CN ) to getpwent() mapper |
|
151 mapper pwent { |
|
152 debug = false; |
|
153 ignorecase = false; |
|
154 module = internal; |
|
155 } |
|
156 |
|
157 # Null ( no map ) mapper. when user as finder matchs to NULL or "nobody" |
|
158 mapper null { |
|
159 debug = false; |
|
160 module = internal ; |
|
161 # select behavior: always match, or always fail |
|
162 default_match = false; |
|
163 # on match, select returned user |
|
164 default_user = nobody ; |
|
165 } |
|
166 |
|
167 # Directory ( ldap style ) mapper |
|
168 mapper ldap { |
|
169 debug = false; |
|
170 module = /usr/lib/pam_pkcs11/ldap_mapper.so; |
|
171 # hostname of ldap server (use LDAP-URI for more then one) |
|
172 ldaphost = ""; |
|
173 # Port on ldap server to connect, this is also the default |
|
174 # if no port is given in URI below |
|
175 # if empty, then 389 for TLS and 636 for SSL is used |
|
176 ldapport = ; |
|
177 # space separted list of LDAP URIs (URIs are used by given order) |
|
178 URI = ""; |
|
179 # Scope of search: 0-2 |
|
180 # Default is 1 = "one", meaning the set of records one |
|
181 # level below the basedn. |
|
182 # 0 = "base" means search only the basedn, and |
|
183 # 2 = "sub" means the union of entries at the "base" level |
|
184 # and ? all or "one" level below ??? FIXME |
|
185 scope = 2; |
|
186 # DN to bind with. Must have read-access for user entries |
|
187 # under "base" |
|
188 binddn = "cn=pam,o=example,c=com"; |
|
189 # Password for above DN |
|
190 passwd = ""; |
|
191 # Searchbase for user entries |
|
192 base = "ou=People,o=example,c=com"; |
|
193 # Attribute of user entry which contains the certificate |
|
194 attribute = "userCertificate"; |
|
195 # Searchfilter for user entry. Must only let pass user entry |
|
196 # for the login user. |
|
197 filter = "(&(objectClass=posixAccount)(uid=%s))" |
|
198 # SSL/TLS-Switch |
|
199 # This is a global switch, you can't switch between |
|
200 # SSL or TLS and non secured connections per URI! |
|
201 # values: off (standard), tls or on (ssl) or ssl |
|
202 ssl = tls |
|
203 # SSL specific settings |
|
204 # tls_randfile = ... |
|
205 tls_cacertfile = /etc/ssl/cacert.pem |
|
206 # tls_cacertdir = ... |
|
207 tls_checkpeer = 0 |
|
208 #tls_ciphers = ... |
|
209 #tls_cert = ... |
|
210 #tls_key = ... |
|
211 } |
|
212 |
|
213 # Assume common name (CN) to be the login |
|
214 mapper cn { |
|
215 debug = false; |
|
216 module = internal; |
|
217 ignorecase = true; |
|
218 # mapfile = file:///etc/security/pam_pkcs11/cn_map; |
|
219 mapfile = "none"; |
|
220 } |
|
221 |
|
222 # mail - Compare email field from certificate |
|
223 mapper mail { |
|
224 debug = false; |
|
225 module = internal; |
|
226 # Declare mapfile or |
|
227 # leave empty "" or "none" to use no map |
|
228 mapfile = file:///etc/security/pam_pkcs11/mail_mapping; |
|
229 # Some certs store email in uppercase. take care on this |
|
230 ignorecase = true; |
|
231 # Also check that host matches mx domain |
|
232 # when using mapfile this feature is ignored |
|
233 ignoredomain = false; |
|
234 } |
|
235 |
|
236 # ms - Use Microsoft Universal Principal Name extension |
|
237 # UPN is in format login@ADS_Domain. No map is needed, just |
|
238 # check domain name. |
|
239 mapper ms { |
|
240 debug = false; |
|
241 module = internal; |
|
242 ignorecase = false; |
|
243 ignoredomain = false; |
|
244 domain = "domain.com"; |
|
245 } |
|
246 |
|
247 # krb - Compare againts Kerberos Principal Name |
|
248 mapper krb { |
|
249 debug = false; |
|
250 module = internal; |
|
251 ignorecase = false; |
|
252 mapfile = "none"; |
|
253 } |
|
254 |
|
255 # uid - Maps Subject Unique Identifier field (if exist) to login |
|
256 mapper uid { |
|
257 debug = false; |
|
258 module = internal; |
|
259 ignorecase = false; |
|
260 mapfile = "none"; |
|
261 } |
|
262 |
|
263 # digest - elaborate certificate digest and map it into a file |
|
264 mapper digest { |
|
265 debug = false; |
|
266 module = internal; |
|
267 # algorithm used to evaluate certificate digest |
|
268 # Select one of: |
|
269 # "null","md2","md4","md5","sha","sha1","dss","dss1","ripemd160" |
|
270 algorithm = "sha1"; |
|
271 # mapfile = file:///etc/security/pam_pkcs11/digest_mapping; |
|
272 mapfile = "none"; |
|
273 |
|
274 } |
|
275 |
|
276 } |
|