PKCS #11 PAM Login Tools

Description

This Linux-PAM login module allows a X.509 certificate based user login. The certificate and its dedicated private key are thereby accessed by means of an appropriate PKCS #11 module. For the verification of the users' certificates, locally stored CA certificates as well as either online or locally accessible CRLs are used.

Detailed information about the Linux-PAM system can be found in The Linux-PAM System Administrators' Guide, The Linux-PAM Module Writers' Guide and The Linux-PAM Application Developers' Guide. The specification of the Cryptographic Token Interface Standard (PKCS #11) is available at PKCS #11 - Cryptographic Token Interface Standard.

PAM-PKCS#11 package provides:

• A PAM module able to:
  • Use certificates to get user credentials
  • Deduce a login based on provided certificate
• Several tools:
  • Standalone cert-to-login finder tool
  • Certificate contents viewer
  • Card Event status monitor, to trigger actions on card insert/removal

You can read the online  to know how to install, configure and use this software.

PKCS #11 Module Requirements

The PKCS #11 modules must fulfill the requirements given by the RSA Asymmetric Client Signing Profile, which has been specified in the PKCS #11: Conformance Profile Specificationby RSA Laboratories.

User Matching

To map the ownership of a certificate into a user login, pam-pkcs11 uses the concept of mapper that is, a list of configurable, stackable list of dynamic modules, each one trying to do a specific cert-to-login maping. Several mappers are provided:

• the common name of the subject matches the login name
• the unique identifier of the subject matches the login name
• the user part of an e-mail subject alternative name extension matches the login name
• the Microsoft universal principal name extension matches the login name
• etc...(see documentation on provided mappers)

Many mappers may use also a mapfile to translate Certificate contents to a login name.

License

• Copyright © 2003-2004 Mario Strasser
• Copyright © 2005 Juan Antonio Martinez
• Copyright © 2005-2007 Ludovic Rousseau

This library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version.

This library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.

You should have received a copy of the GNU Lesser General Public License along with this library; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA

Download

• (1037 Kbyte, "md5sum -b" hash: 5f3be860fa5b630cbce113e4a9bc6996)
• Older versions, and beta releases are available in download area

Provided RPM versions are for  Distributions, and may not properly install in other distributions.