Skip to main content

Source code file content

Revision: 1457

17374438 bug fix 15912313 needs to be removed
» Project Revision History

» Checkout URL

gate / components / pam_pkcs11 / pam_pkcs11.conf

Size: 9203 bytes, 1 line
#
# Configuration file for pam_pkcs11 module
#
# Original Author: Juan Antonio Martinez <jonsito@teleline.es>
#
pam_pkcs11 {
  # Allow empty passwords
  nullok = true;

  # Enable debugging support.
  debug = true; 

  # Filename of the PKCS #11 module. The default value is "default"
  use_pkcs11_module = default;

  pkcs11_module default {
    module = /usr/lib/libpkcs11.so;
    description = "Solaris PKCS#11 Cryptographic Framework library";

    # Which slot to use?
    # You can use "slot_description" or "slot_num", but not both, to specify
    # the slot to use.   Using "slot_description" is preferred because the
    # PKCS#11 specification does not guarantee slot ordering. "slot_num" should
    # only be used with those PKCS#11 implementations that guarantee
    # constant slot numbering.
    #
    #  slot_description = "xxxx"
    #      The slot is specified by the slot description, for example, 
    #      slot_description = "Sun Crypto Softtoken".  The default value is
    #      "none" which means to use the first slot with an available token.
    #
    #  slot_num = a_number
    #      The slot is specified by the slot number, for example, slot_num = 1.
    #      The default value is zero which means to use the first slot with an
    #      available token.
    #
    # On Solaris OS, an administrator can use the "cryotoadm list -v" command
    # to find all the available slots and their slot descriptions. For more 
    # information, see the libpkcs11(3LIB) and cryptoadm(1m) man pages.
    #
    slot_description = "none";

    # Where are CA certificates stored?
    # You can setup this value to:
    # 1- A directory with openssl hash-links to all certificates
    # 2- A CA file in PEM (.pem) or ASN1 (.cer) format, 
    # containing all allowed CA certs
    # The default value is /etc/security/pam_pkcs11/cacerts.
    ca_dir = /etc/security/pam_pkcs11/cacerts;
  
    # Path to the directory where the local (offline) CRLs are stored.
    # Same convention as above is applied: you can choose either
    # hash-link directory or CRL file
    # The default value is /etc/security/pam_pkcs11/crls.
    crl_dir = /etc/security/pam_pkcs11/crls;
  
    # Some pcks#11 libraries can handle multithreading. So 
    # set it to true to properly call C_Initialize() 
    support_threads = false;

    # Sets the Certificate verification policy. 
    # "none"        Performs no verification
    # "ca"          Does CA check
    # "crl_online"  Downloads the CRL form the location given by the
    #               CRL distribution point extension of the certificate
    # "crl_offline" Uses the locally stored CRLs
    # "crl_auto"    Is a combination of online and offline; it first 
    #               tries to download the CRL from a possibly given CRL 
    #               distribution point and if this fails, uses the local
    #               CRLs
    # "signature"   Does also a signature check to ensure that private
    #               and public key matches
    # You can use a combination of ca,crl, and signature flags, or just
    # use "none".
    # cert_policy = ca,signature;
    cert_policy = signature;

    # What kind of token?
    # The value of the token_type parameter will be used in the user prompt
    # messages.  The default value is "Smart card".
    token_type = "Secure token";
  }

  # Which mappers ( Cert to login ) to use?
  # you can use several mappers:
  #
  # subject - Cert Subject to login file based mapper
  # pwent   - CN to getpwent() login or gecos fields mapper
  # ldap    - LDAP mapper
  # opensc  - Search certificate in ${HOME}/.eid/authorized_certificates
  # openssh - Search certificate public key in ${HOME}/.ssh/authorized_keys
  # mail    - Compare email fields from certificate
  # ms      - Use Microsoft Universal Principal Name extension
  # krb     - Compare againts Kerberos Principal Name
  # cn      - Compare Common Name (CN)
  # uid     - Compare Unique Identifier
  # digest  - Certificate digest to login (mapfile based) mapper
  # generic - User defined certificate contents mapped
  # null    - blind access/deny mapper
  #
  # You can select a comma-separated mapper list.
  # If used null mapper should be the last in the list :-)
  # Also you should select at least one mapper, otherwise
  # certificate will not match :-)
  # use_mappers = digest, cn, pwent, uid, mail, subject, null;
  use_mappers = cn;

  # When no absolute path or module info is provided, use this
  # value as module search path
  # TODO:
  # This is not still functional: use absolute pathnames or LD_LIBRARY_PATH 
  mapper_search_path = /usr/lib/pam_pkcs11;

  # 
  # Generic certificate contents mapper
  mapper generic {
        debug = true;
        module = internal;
        # ignore letter case on match/compare
        ignorecase = false;
        # Use one of "cn" , "subject" , "kpn" , "email" , "upn" or "uid"
        cert_item  = cn;
        # Define mapfile if needed, else select "none"
        mapfile = file:///etc/security/pam_pkcs11/generic_mapping
        # Decide if use getpwent() to map login
        use_getpwent = false;
  }

  # Certificate Subject to login based mapper
  # provided file stores one or more "Subject -> login" lines
  mapper subject {
	debug = false;
	module = internal;
	ignorecase = false;
	mapfile = file:///etc/security/pam_pkcs11/subject_mapping;
  }

  # Search public keys from $HOME/.ssh/authorized_keys to match users
  mapper openssh {
	debug = false;
	module = /usr/lib/pam_pkcs11/openssh_mapper.so;
  }

  # Search certificates from $HOME/.eid/authorized_certificates to match users
  mapper opensc {
	debug = false;
	module = /usr/lib/pam_pkcs11/opensc_mapper.so;
  }

  # Certificate Common Name ( CN ) to getpwent() mapper
  mapper pwent {
	debug = false;
	ignorecase = false;
	module = internal;
  }

  # Null ( no map ) mapper. when user as finder matchs to NULL or "nobody"
  mapper null {
	debug = false;
	module = internal ;
	# select behavior: always match, or always fail
	default_match = false;
	# on match, select returned user
        default_user = nobody ;
  }

  # Directory ( ldap style ) mapper
  mapper ldap {
	debug = false;
	module = /usr/lib/pam_pkcs11/ldap_mapper.so;
	# hostname of ldap server (use LDAP-URI for more then one)
	ldaphost = "";
	# Port on ldap server to connect, this is also the default
	#   if no port is given in URI below
	#   if empty, then 389 for TLS and 636 for SSL is used
	ldapport = ;
	# space separted list of LDAP URIs (URIs are used by given order)
	URI = "";
	# Scope of search: 0-2
	#   Default is 1 = "one", meaning the set of records one
	#   level below the basedn.
	#   0 = "base"  means search only the basedn, and
	#   2 = "sub"  means the union of entries at the "base" level
	#   and ? all or "one" level below ??? FIXME
	scope = 2;
	# DN to bind with. Must have read-access for user entries
	# under "base"
	binddn = "cn=pam,o=example,c=com";
	# Password for above DN
	passwd = "";
	# Searchbase for user entries
	base = "ou=People,o=example,c=com";
	# Attribute of user entry which contains the certificate
	attribute = "userCertificate";
	# Searchfilter for user entry. Must only let pass user entry
	# for the login user.
	filter = "(&(objectClass=posixAccount)(uid=%s))"
	# SSL/TLS-Switch
	#   This is a global switch, you can't switch between
	#   SSL or TLS and non secured connections per URI!
	#   values: off (standard), tls or on (ssl) or ssl
	ssl = tls
	# SSL specific settings
	# tls_randfile = ...
	tls_cacertfile = /etc/ssl/cacert.pem
	# tls_cacertdir = ...
	tls_checkpeer = 0
	#tls_ciphers = ...
	#tls_cert = ...
	#tls_key = ...
  }

  # Assume common name (CN) to be the login
  mapper cn {
	debug = false;
	module = internal;
	ignorecase = true;
	# mapfile = file:///etc/security/pam_pkcs11/cn_map;
	mapfile = "none";
  }

  # mail -  Compare email field from certificate
  mapper mail {
	debug = false;
	module = internal;
	# Declare mapfile or
	# leave empty "" or "none" to use no map 
	mapfile = file:///etc/security/pam_pkcs11/mail_mapping;
	# Some certs store email in uppercase. take care on this
	ignorecase = true;
	# Also check that host matches mx domain
	# when using mapfile this feature is ignored
	ignoredomain = false;
  }

  # ms - Use Microsoft Universal Principal Name extension
  # UPN is in format login@ADS_Domain. No map is needed, just
  # check domain name.
  mapper ms {
	debug = false;
	module = internal;
	ignorecase = false;
	ignoredomain = false;
	domain = "domain.com";
  }

  # krb  - Compare againts Kerberos Principal Name
  mapper krb {
	debug = false;
	module = internal;
	ignorecase = false;
	mapfile = "none";
  }

  # uid  - Maps Subject Unique Identifier field (if exist) to login
  mapper uid {
	debug = false;
	module = internal;
	ignorecase = false;
	mapfile = "none";
  }

  # digest - elaborate certificate digest and map it into a file
  mapper digest {
	debug = false;
	module = internal;
	# algorithm used to evaluate certificate digest
        # Select one of:
	# "null","md2","md4","md5","sha","sha1","dss","dss1","ripemd160"
	algorithm = "sha1";
	# mapfile = file:///etc/security/pam_pkcs11/digest_mapping;
	mapfile = "none";

  }

}
 
 
Close
loading
Please Confirm
Close