{"id":19416888,"url":"https://github.com/opensc/pam_p11","last_synced_at":"2026-02-26T22:04:34.940Z","repository":{"id":5630770,"uuid":"6838923","full_name":"OpenSC/pam_p11","owner":"OpenSC","description":"Authentication with PKCS#11 modules","archived":false,"fork":false,"pushed_at":"2026-01-20T03:48:02.000Z","size":173,"stargazers_count":28,"open_issues_count":0,"forks_count":20,"subscribers_count":5,"default_branch":"master","last_synced_at":"2026-01-20T10:22:52.122Z","etag":null,"topics":["authentication","certificate","opensc","pam","pgp","security","smartcard"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"lgpl-2.1","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/OpenSC.png","metadata":{"files":{"readme":"README.md","changelog":"NEWS","contributing":null,"funding":null,"license":"COPYING","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2012-11-24T11:14:27.000Z","updated_at":"2026-01-20T03:48:06.000Z","dependencies_parsed_at":"2025-04-24T13:48:47.473Z","dependency_job_id":null,"html_url":"https://github.com/OpenSC/pam_p11","commit_stats":null,"previous_names":[],"tags_count":12,"template":false,"template_full_name":null,"purl":"pkg:github/OpenSC/pam_p11","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OpenSC%2Fpam_p11","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OpenSC%2Fpam_p11/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OpenSC%2Fpam_p11/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OpenSC%2Fpam_p11/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/OpenSC","download_url":"https://codeload.github.com/OpenSC/pam_p11/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OpenSC%2Fpam_p11/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29874516,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-26T21:05:00.265Z","status":"ssl_error","status_checked_at":"2026-02-26T20:57:13.669Z","response_time":89,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authentication","certificate","opensc","pam","pgp","security","smartcard"],"created_at":"2024-11-10T13:06:01.699Z","updated_at":"2026-02-26T22:04:34.932Z","avatar_url":"https://github.com/OpenSC.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Welcome to pam_p11\n\nPam_p11 is a plugable authentication module (pam) package for using crpytographic tokens such as smart cards and usb crypto tokens for authentication on single user systems.\n\nPam_p11 uses [libp11](https://github.com/OpenSC/libp11/) to access any PKCS#11 module. It should be compatible with any implementation, but it is primarely developed using [OpenSC](https://github.com/OpenSC/OpenSC/).\n\nPam_p11 implements two authentication methods:\n\n- verify a token using a known public key found in OpenSSH's `~/.ssh/authorized_keys`.\n- verify a token using a known certificate found in `~/.eid/authorized_certificates`.\n\nPam_p11 is very simple, it has no config file, does not know about certificate chains, certificate authorities, revocation lists or OCSP. Perfect for the small installation with no frills.\n\nPam_p11 was written by an international team and is licensed as Open Source software under the LGPL license.\n\n[![GitHub CI Status](https://img.shields.io/github/actions/workflow/status/OpenSC/pam_p11/ci.yml?branch=master\u0026label=Linux%2FmacOS\u0026logo=github)](https://github.com/OpenSC/pam_p11/actions/workflows/ci.yml?branch=master) [![Coverity Scan CI Status](https://img.shields.io/coverity/scan/15452.svg?label=Coverity%20Scan)](https://scan.coverity.com/projects/15452) [![CodeQL CI Status](https://img.shields.io/github/actions/workflow/status/OpenSC/pam_p11/codeql.yml?branch=master\u0026label=CodeQL\u0026logo=github)](https://github.com/OpenSC/pam_p11/actions/workflows/codeql.yml?branch=master)\n\n## Installing pam_p11\n\nInstallation is quite easy:\n\n```\nwget https://github.com/OpenSC/pam_p11/releases/download/pam_p11-0.6.1/pam_p11-0.6.1.tar.gz\ntar xfvz pam_p11-0.6.1.tar.gz\ncd pam_p11-0.6.1\n./configure --prefix=/usr --libdir=/lib/\nmake\nmake install\n```\n\nPam_p11 depends on pkg-config, openssl, libp11 and pam.  If you don't have pkg-config installed, please do so and try again.  If pkg-config is not found, please change your PATH environment setting.  If openssl is not installed, please do so. If openssl is not found, please change your PKG_CONFIG_PATH environment setting to include the directory with \"openssl.pc\" or \"libp11.pc\" file. Some linux distributions split openssl into a runtime package and a development package, you need to install both. Same might be true for pam and libp11.\n\n## Using pam_p11\n\n### Login\n\nTo use pam_p11 with some application like `sudo`, edit `/etc/pam.d/sudo` and add something like the following at the beginning of the file:\n\n```\nauth  sufficient  /usr/local/lib/security/pam_p11.so  /usr/local/lib/opensc-pkcs11.so\n```\n\nReplace `/usr/local/lib/opensc-pkcs11.so` with your PKCS#11 implementation. Using an absolute path to `pam_p11.so` avoids the need to write to a system directory, which is especially useful for macOS with system integrity protection (SIP) enabled.\n\nAn optional second argument to `pam_p11.so` may be used to check for a specific format when prompting for the token's password. On macOS this defaults to the regular expression `^[[:digit:]]*$` to avoid confusion with the user's password in the login screen. pam_p11 uses [POSIX-Extended Regular Expressions](https://man.openbsd.org/re_format.7) for matching.\n\nWhile testing it is best to keep a door open. Editing the configuration files from a different machine via SSH helps reverting a bad PAM login configuration. Replace `sufficient` with `required` and remove other unwanted PAM modules from the file only when you've successfully verified the configuration.\n\nTo enable pam_p11 for all logins (graphical and terminal based), change the following configuration files as described above:\n\n| Operating System | PAM configuration file     |\n| ---------------- | -------------------------- |\n| macOS            | `/etc/pam.d/authorization` |\n| Debian           | `/etc/pam.d/common-auth`   |\n| Arch Linux       | `/etc/pam.d/system-auth`   |\n\n### PIN change and unblock\n\nTo allow changing and unblocking the PIN via pam_p11, add the following to your configuration:\n\n```\npassword  optional    /usr/local/lib/security/pam_p11.so  /usr/local/lib/opensc-pkcs11.so\n```\n\nAn optional second argument to `pam_p11.so` may be used to check for a specific format when prompting for the token's password. On macOS this defaults to the regular expression `^[[:digit:]]*$` to avoid confusion with the user's password in the login screen. pam_p11 uses [POSIX-Extended Regular Expressions](https://man.openbsd.org/re_format.7) for matching.\n\n### User configuration via `~/.eid/authorized_certificates`\n\nA user may create a `~/.eid/` directory and create a file `~/.eid/authorized_certificates` with authorized certificates. You can do that via\n\n```\nmkdir -p ~/.eid\nchmod 0755 ~/.eid\npkcs11-tool --read-object --type cert --id 45 --module /usr/lib/opensc-pkcs11.so --output-file cert.cer\nopenssl x509 -inform DER -in cert.cer -outform PEM \u003e\u003e ~/.eid/authorized_certificates\nchmod 0644 ~/.eid/authorized_certificates\n```\n\nThis example uses the `pkcs11-tool` command from opensc to read a certificate (id `45`) from the smart card. Use `pkcs11-tool --list-objects --type cert --module /usr/lib/opensc-pkcs11.so` to view all certificates available on the card.\n\nIt is very important that only the user of the file can write to it. You can have any number of certificates in that file. The certificates need to be in PEM format. DER format is not supported.\n\n### User configuration via `~/.ssh/authorized_keys`\n\nA user may create a `~/.ssh/` directory and create a file `~/.ssh/authorized_keys` with authorized public keys. You can do that via\n\n```\nmkdir -p ~/.ssh\nchmod 0755 ~/.ssh\nssh-keygen -D /usr/lib/opensc-pkcs11.so \u003e\u003e ~/.ssh/authorized_keys\nchmod 0644 ~/.ssh/authorized_keys\n```\n\nThis example uses the `ssh-keygen` command from openssh to read the default user public key (id 45) from the smart card in reader 0.  Note that this tool prints the public keys in two formats: ssh v1 and ssh v2 format. It is recommended to edit the file and delete one of those two lines. Also you might want to add a comment / identifier at the end of the line.\n\nIt is very important that only the user of the file can write to it.  You can have any number of public keys in that file.\n\nNote it is currently not possible to convert existing ssh keys into pem format and store them on a smart card. (To be precise: OpenSC has no such functionality, not sure about other implementations.)\n\n## Security Note\n\npam_p11 simply compares public keys and request the cryptographic token to sign some random data and verifiy the signature with the public key. No CA chain checking is done, no CRL is looked at, and they don't know what OCSP is. This works fine for small installations, but if you want any of those features, please have a look at [Pam_pkcs11](https://github.com/OpenSC/pam_pkcs11) for a fully fledged PAM module for smart card authentication.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fopensc%2Fpam_p11","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fopensc%2Fpam_p11","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fopensc%2Fpam_p11/lists"}