| blob | 42818d7e8649b15e6e467873c3f9445b680ece02 |
1 #
2 # Configuration file for pam_pkcs11 module
3 #
4 # Original Author: Juan Antonio Martinez <jonsito@teleline.es>
5 #
6 pam_pkcs11 {
7 # Allow empty passwords
8 nullok = true;
10 # Enable debugging support.
11 debug = true;
13 # Filename of the PKCS #11 module. The default value is "default"
14 use_pkcs11_module = default;
16 pkcs11_module default {
17 module = /usr/lib/libpkcs11.so;
18 description = "Solaris PKCS#11 Cryptographic Framework library";
20 # Which slot to use?
21 # You can use "slot_description" or "slot_num", but not both, to specify
22 # the slot to use. Using "slot_description" is preferred because the
23 # PKCS#11 specification does not guarantee slot ordering. "slot_num" should
24 # only be used with those PKCS#11 implementations that guarantee
25 # constant slot numbering.
26 #
27 # slot_description = "xxxx"
28 # The slot is specified by the slot description, for example,
29 # slot_description = "Sun Crypto Softtoken". The default value is
30 # "none" which means to use the first slot with an available token.
31 #
32 # slot_num = a_number
33 # The slot is specified by the slot number, for example, slot_num = 1.
34 # The default value is zero which means to use the first slot with an
35 # available token.
36 #
37 # On Solaris OS, an administrator can use the "cryotoadm list -v" command
38 # to find all the available slots and their slot descriptions. For more
39 # information, see the libpkcs11(3LIB) and cryptoadm(1m) man pages.
40 #
41 slot_description = "none";
43 # Where are CA certificates stored?
44 # You can setup this value to:
45 # 1- A directory with openssl hash-links to all certificates
46 # 2- A CA file in PEM (.pem) or ASN1 (.cer) format,
47 # containing all allowed CA certs
48 # The default value is /etc/security/pam_pkcs11/cacerts.
49 ca_dir = /etc/security/pam_pkcs11/cacerts;
51 # Path to the directory where the local (offline) CRLs are stored.
52 # Same convention as above is applied: you can choose either
53 # hash-link directory or CRL file
54 # The default value is /etc/security/pam_pkcs11/crls.
55 crl_dir = /etc/security/pam_pkcs11/crls;
57 # Some pcks#11 libraries can handle multithreading. So
58 # set it to true to properly call C_Initialize()
59 support_threads = false;
61 # Sets the Certificate verification policy.
62 # "none" Performs no verification
63 # "ca" Does CA check
64 # "crl_online" Downloads the CRL form the location given by the
65 # CRL distribution point extension of the certificate
66 # "crl_offline" Uses the locally stored CRLs
67 # "crl_auto" Is a combination of online and offline; it first
68 # tries to download the CRL from a possibly given CRL
69 # distribution point and if this fails, uses the local
70 # CRLs
71 # "signature" Does also a signature check to ensure that private
72 # and public key matches
73 # You can use a combination of ca,crl, and signature flags, or just
74 # use "none".
75 # cert_policy = ca,signature;
76 cert_policy = signature;
78 # What kind of token?
79 # The value of the token_type parameter will be used in the user prompt
80 # messages. The default value is "Smart card".
81 token_type = "Secure token";
82 }
84 # Which mappers ( Cert to login ) to use?
85 # you can use several mappers:
86 #
87 # subject - Cert Subject to login file based mapper
88 # pwent - CN to getpwent() login or gecos fields mapper
89 # ldap - LDAP mapper
90 # opensc - Search certificate in ${HOME}/.eid/authorized_certificates
91 # openssh - Search certificate public key in ${HOME}/.ssh/authorized_keys
92 # mail - Compare email fields from certificate
93 # ms - Use Microsoft Universal Principal Name extension
94 # krb - Compare againts Kerberos Principal Name
95 # cn - Compare Common Name (CN)
96 # uid - Compare Unique Identifier
97 # digest - Certificate digest to login (mapfile based) mapper
98 # generic - User defined certificate contents mapped
99 # null - blind access/deny mapper
100 #
101 # You can select a comma-separated mapper list.
102 # If used null mapper should be the last in the list :-)
103 # Also you should select at least one mapper, otherwise
104 # certificate will not match :-)
105 # use_mappers = digest, cn, pwent, uid, mail, subject, null;
106 use_mappers = cn;
108 # When no absolute path or module info is provided, use this
109 # value as module search path
110 # TODO:
111 # This is not still functional: use absolute pathnames or LD_LIBRARY_PATH
112 mapper_search_path = /usr/lib/pam_pkcs11;
114 #
115 # Generic certificate contents mapper
116 mapper generic {
117 debug = true;
118 module = internal;
119 # ignore letter case on match/compare
120 ignorecase = false;
121 # Use one of "cn" , "subject" , "kpn" , "email" , "upn" or "uid"
122 cert_item = cn;
123 # Define mapfile if needed, else select "none"
124 mapfile = file:///etc/security/pam_pkcs11/generic_mapping
125 # Decide if use getpwent() to map login
126 use_getpwent = false;
127 }
129 # Certificate Subject to login based mapper
130 # provided file stores one or more "Subject -> login" lines
131 mapper subject {
132 debug = false;
133 module = internal;
134 ignorecase = false;
135 mapfile = file:///etc/security/pam_pkcs11/subject_mapping;
136 }
138 # Search public keys from $HOME/.ssh/authorized_keys to match users
139 mapper openssh {
140 debug = false;
141 module = /usr/lib/pam_pkcs11/openssh_mapper.so;
142 }
144 # Search certificates from $HOME/.eid/authorized_certificates to match users
145 mapper opensc {
146 debug = false;
147 module = /usr/lib/pam_pkcs11/opensc_mapper.so;
148 }
150 # Certificate Common Name ( CN ) to getpwent() mapper
151 mapper pwent {
152 debug = false;
153 ignorecase = false;
154 module = internal;
155 }
157 # Null ( no map ) mapper. when user as finder matchs to NULL or "nobody"
158 mapper null {
159 debug = false;
160 module = internal ;
161 # select behavior: always match, or always fail
162 default_match = false;
163 # on match, select returned user
164 default_user = nobody ;
165 }
167 # Directory ( ldap style ) mapper
168 mapper ldap {
169 debug = false;
170 module = /usr/lib/pam_pkcs11/ldap_mapper.so;
171 # hostname of ldap server (use LDAP-URI for more then one)
172 ldaphost = "";
173 # Port on ldap server to connect, this is also the default
174 # if no port is given in URI below
175 # if empty, then 389 for TLS and 636 for SSL is used
176 ldapport = ;
177 # space separted list of LDAP URIs (URIs are used by given order)
178 URI = "";
179 # Scope of search: 0-2
180 # Default is 1 = "one", meaning the set of records one
181 # level below the basedn.
182 # 0 = "base" means search only the basedn, and
183 # 2 = "sub" means the union of entries at the "base" level
184 # and ? all or "one" level below ??? FIXME
185 scope = 2;
186 # DN to bind with. Must have read-access for user entries
187 # under "base"
188 binddn = "cn=pam,o=example,c=com";
189 # Password for above DN
190 passwd = "";
191 # Searchbase for user entries
192 base = "ou=People,o=example,c=com";
193 # Attribute of user entry which contains the certificate
194 attribute = "userCertificate";
195 # Searchfilter for user entry. Must only let pass user entry
196 # for the login user.
197 filter = "(&(objectClass=posixAccount)(uid=%s))"
198 # SSL/TLS-Switch
199 # This is a global switch, you can't switch between
200 # SSL or TLS and non secured connections per URI!
201 # values: off (standard), tls or on (ssl) or ssl
202 ssl = tls
203 # SSL specific settings
204 # tls_randfile = ...
205 tls_cacertfile = /etc/ssl/cacert.pem
206 # tls_cacertdir = ...
207 tls_checkpeer = 0
208 #tls_ciphers = ...
209 #tls_cert = ...
210 #tls_key = ...
211 }
213 # Assume common name (CN) to be the login
214 mapper cn {
215 debug = false;
216 module = internal;
217 ignorecase = true;
218 # mapfile = file:///etc/security/pam_pkcs11/cn_map;
219 mapfile = "none";
220 }
222 # mail - Compare email field from certificate
223 mapper mail {
224 debug = false;
225 module = internal;
226 # Declare mapfile or
227 # leave empty "" or "none" to use no map
228 mapfile = file:///etc/security/pam_pkcs11/mail_mapping;
229 # Some certs store email in uppercase. take care on this
230 ignorecase = true;
231 # Also check that host matches mx domain
232 # when using mapfile this feature is ignored
233 ignoredomain = false;
234 }
236 # ms - Use Microsoft Universal Principal Name extension
237 # UPN is in format login@ADS_Domain. No map is needed, just
238 # check domain name.
239 mapper ms {
240 debug = false;
241 module = internal;
242 ignorecase = false;
243 ignoredomain = false;
244 domain = "domain.com";
245 }
247 # krb - Compare againts Kerberos Principal Name
248 mapper krb {
249 debug = false;
250 module = internal;
251 ignorecase = false;
252 mapfile = "none";
253 }
255 # uid - Maps Subject Unique Identifier field (if exist) to login
256 mapper uid {
257 debug = false;
258 module = internal;
259 ignorecase = false;
260 mapfile = "none";
261 }
263 # digest - elaborate certificate digest and map it into a file
264 mapper digest {
265 debug = false;
266 module = internal;
267 # algorithm used to evaluate certificate digest
268 # Select one of:
269 # "null","md2","md4","md5","sha","sha1","dss","dss1","ripemd160"
270 algorithm = "sha1";
271 # mapfile = file:///etc/security/pam_pkcs11/digest_mapping;
272 mapfile = "none";
274 }
276 }