{"id":19416882,"url":"https://github.com/opensc/pam_pkcs11","last_synced_at":"2025-04-05T03:12:18.138Z","repository":{"id":5630568,"uuid":"6838717","full_name":"OpenSC/pam_pkcs11","owner":"OpenSC","description":"This Linux-PAM login module allows a X.509 certificate based user login","archived":false,"fork":false,"pushed_at":"2025-03-26T10:24:04.000Z","size":1236,"stargazers_count":74,"open_issues_count":14,"forks_count":53,"subscribers_count":20,"default_branch":"master","last_synced_at":"2025-03-29T02:09:00.277Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"lgpl-2.1","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/OpenSC.png","metadata":{"files":{"readme":"README","changelog":"ChangeLog","contributing":null,"funding":null,"license":"COPYING","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":"AUTHORS","dei":null,"publiccode":null,"codemeta":null}},"created_at":"2012-11-24T10:40:25.000Z","updated_at":"2025-03-26T10:24:08.000Z","dependencies_parsed_at":"2024-04-19T12:41:17.807Z","dependency_job_id":"72c4a954-4e35-4483-81e9-b04a5b8d61eb","html_url":"https://github.com/OpenSC/pam_pkcs11","commit_stats":null,"previous_names":[],"tags_count":16,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OpenSC%2Fpam_pkcs11","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OpenSC%2Fpam_pkcs11/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OpenSC%2Fpam_pkcs11/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/OpenSC%2Fpam_pkcs11/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/OpenSC","download_url":"https://codeload.github.com/OpenSC/pam_pkcs11/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247280272,"owners_count":20912967,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-10T13:06:00.237Z","updated_at":"2025-04-05T03:12:18.120Z","avatar_url":"https://github.com/OpenSC.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"This is the README of the PKCS #11 PAM Login Module\n======================================================================\n\nAuthors:  Mario Strasser \u003cmast@gmx.net\u003e\n          Juan Antonio Martinez \u003cjonsito@teleline.es\u003e\n          Ludovic Rouseau \u003cludovic.rousseau@free.fr\u003e\n\t\t  Frank Morgner \u003cfrankmorgner@gmail.com\u003e\n          Paul Wolneykien \u003cmanowar@altlinux.org\u003e\n\nThis Linux-PAM login module allows a X.509 certificate based user\nlogin. The certificate and its dedicated private key are thereby\naccessed by means of an appropriate PKCS #11 module. For the\nverification of the users' certificates, locally stored CA\ncertificates as well as either online or locally accessible CRLs are\nused.\n\nDetailed information about the Linux-PAM system can be found in [1],\n[2] and [3]. The specification of the Cryptographic Token Interface\nStandard (PKCS #11) is available at [4].\n\n\nPKCS #11 Module Requirements\n----------------------------------------------------------------------\nThe PKCS #11 modules must fulfill the requirements given by the RSA\nAsymmetric Client Signing Profile, which has been specified in the\nPKCS #11 Conformance Profile Specification [5] by RSA Laboratories.\n\n\nUser Matching\n----------------------------------------------------------------------\nTo approve the ownership of a certificate, that is to allow the owner\nof a certificate to login as a particular user Several modules\nare provided. See README.mappers file in doc directory\n\n[Note: This is still a work in progress, any suggestions for\n       improvements or alternative matching algorithms are welcome.]\n\n\nInstallation\n----------------------------------------------------------------------\n\nbash# tar xvzf pam_pkcs11-X.Y.Z.tar.gz\nbash# cd pam_pkcs11-X.Y.Z\nbash# ./configure\nbash# make\nbash# sudo make install\n\n\nConfiguration\n\n1- Create a directory /etc/pam_pkcs11\n2- Copy $(base)/etc/pam_pkcs11.conf.example to /etc/pam_pkcs11/ and personalize\n3- Create crls and cacerts directories according with configuration file,\n   and fill them with proper data\n4- Choose one or more mappers to install, set up configuration file, and\n   if needed configure mappers\n\nThe file etc/pam_pkcs11.conf is fully auto-documented, to allow you easy\nediting\n\n5- setup /etc/pam.d/xxx entries\n\n----------------------------------------------------------------------\nTo make use of the PKCS #11 login module replace the line\n\n  auth\trequisite\tpam_unix2.so\t...\n\nwith\n\n  auth\trequisite\tpam_pkcs11.so\t...\n\nin the pam configuration files.\n\nSome mappers doesn't map to an existing user. To allow correct login,\nyou may need to install also pam-mkhomedir in session pam stack\nSee http://www.kernel.org/pub/linux/libs/pam for details\n\nThe following options are recognised for pam-pkcs11.so:\n\n  debug       \n    Enable debugging support.\n\n  config_file\n    To specify up configuration file ( default /etc/pam_pkcs11/pam_pkcs11.conf )\n\nNext options should be taken from configuration file, but is up to the\nuser to specify them from command line. If so, it takes precedence over\nconfiguration file\n\n  nullok      \n    Allow empty passwords.\n\n  use_first_pass\n    Do not prompt the user for the passwords but take them from the\n    PAM_ items instead.\n\n  try_first_pass\n    Do not prompt the user for the passwords unless PAM_(OLD)AUTHTOK\n    is unset.\n\n  use_authtok\n    Like try_first_pass, but fail if the new PAM_AUTHTOK has not been\n    previously set (intended for stacking password modules only).\n    \n  card_only\n    Always try to get the userid from the certificate, don't prompt for the user name if \n    the card is present, and if the token is present, then we must use it to authenticate.\n\n  wait_for_card\n    This option needs card_only to be set. This will make the system wait for the \n    token to be inserted on login, or after login it will require the same token be \n    inserted to unlock the system.\n\n\nNext options are pkcs11 module specific\n\n  pkcs11_module=\u003cfile\u003e\n    Filename of the PKCS #11 module. The default value is\n    /etc/pam_pkcs11/pkcs11_module.so.\n    Note that this option takes precedence over \"module\" entry\n    in proper pkcs11_module section, but this section is still needed\n\n  slot_num=\u003cnr\u003e\n    Slot-number to use. One for the first, two for the second and so\n    on. The default value is zero which means to use the first slot\n    with an available token.\n\n  ca_dir=\u003cpath\u003e\n    Path to the directory where the CA certificates are stored. The\n    directory must contain an openssl hash-link to each certificate.\n    The default value is /etc/pam_pkcs11/cacerts.\n\n  crl_dir=\u003cpath\u003e\n    Path to the directory where the CRLs are stored. The directory\n    must contain an openssl hash-link to each CRL. The default value\n    is /etc/pam_pkcs11/crls.\n\n  crl_policy={none, online, offline, auto}\n    Sets the CRL verification policy. None performs no verification\n    at all, online downloads the CRL form the location given by the\n    CRL distribution point extension of the certificate and offline\n    uses the locally stored CRLs. Auto is a combination of online and\n    offline; it first tries to download the CRL from a possibly\n    given CRL distribution point and if this fails, uses the local\n    CRLs. The default setting is none.\n\nExample:\n\n  auth  sufficient  pam_pkcs11.so   config_file=/etc/pam_pkcs11/pam_pkcs11.conf\n\n  or ( avoid if possible )\n\n  auth\tsufficient pam_pkcs11.so\tnullok debug try_first_pass \\\n    pkcs11_module=/usr/lib/pkcs11/pkcs11_module.so \\\n    ca_dir=/etc/cacerts/ crl_dir=/etc/cacerts/ crl_policy=auto\n\n\nContact\n----------------------------------------------------------------------\n\nAny comments, suggestions and bug reports are welcome. Please, mention\nthe keywords 'pkcs' and 'pam' in the subject.\n\nMario Strasser \u003cmast@gmx.net\u003e\nJuan Antonio Martinez \u003cjonsito@teleline.es\u003e\n\n\nReferences\n----------------------------------------------------------------------\n\n[1] The Linux-PAM System Administrators' Guide\n    http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam.html\n\n[2] The Linux-PAM Module Writers' Guide\n    http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam_modules.html\n\n[3] The Linux-PAM Application Developers' Guide\n    http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam_appl.html\n\n[4] PKCS #11 - Cryptographic Token Interface Standard\n    http://www.rsasecurity.com/rsalabs/pkcs/pkcs-11/\n\n[5] PKCS #11: Conformance Profile Specification\n    http://www.rsasecurity.com/rsalabs/pkcs/pkcs-11/\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fopensc%2Fpam_pkcs11","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fopensc%2Fpam_pkcs11","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fopensc%2Fpam_pkcs11/lists"}