Chinaunix首页 | 论坛 | 博客
  • 博客访问: 367532
  • 博文数量: 104
  • 博客积分: 2519
  • 博客等级: 少校
  • 技术积分: 1025
  • 用 户 组: 普通用户
  • 注册时间: 2008-09-22 06:54
文章分类

全部博文(104)

文章存档

2009年(90)

2008年(14)

我的朋友

分类: LINUX

2009-03-09 11:56:30

PKCS #11 PAM Login Tools


     Documentation 

Description

This Linux-PAM login module allows a X.509 certificate based user login. The certificate and its dedicated private key are thereby accessed by means of an appropriate PKCS #11 module. For the verification of the users' certificates, locally stored CA certificates as well as either online or locally accessible CRLs are used.

Detailed information about the Linux-PAM system can be found in The Linux-PAM System Administrators' GuideThe Linux-PAM Module Writers' Guide and The Linux-PAM Application Developers' Guide. The specification of the Cryptographic Token Interface Standard (PKCS #11) is available at PKCS #11 - Cryptographic Token Interface Standard.

PAM-PKCS#11 package provides:

  • A PAM module able to:
    • Use certificates to get user credentials
    • Deduce a login based on provided certificate
  • Several tools:
    • Standalone cert-to-login finder tool
    • Certificate contents viewer
    • Card Event status monitor, to trigger actions on card insert/removal

You can read the online  to know how to install, configure and use this software.

PKCS #11 Module Requirements

The PKCS #11 modules must fulfill the requirements given by the RSA Asymmetric Client Signing Profile, which has been specified in the PKCS #11: Conformance Profile Specificationby RSA Laboratories.

User Matching

To map the ownership of a certificate into a user login, pam-pkcs11 uses the concept of mapper that is, a list of configurable, stackable list of dynamic modules, each one trying to do a specific cert-to-login maping. Several mappers are provided:

  • the common name of the subject matches the login name
  • the unique identifier of the subject matches the login name
  • the user part of an e-mail subject alternative name extension matches the login name
  • the Microsoft universal principal name extension matches the login name
  • etc...(see documentation on provided mappers)

Many mappers may use also a mapfile to translate Certificate contents to a login name.

License

  • Copyright © 2003-2004 Mario Strasser
  • Copyright © 2005 Juan Antonio Martinez
  • Copyright © 2005-2007 Ludovic Rousseau

This library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version.

This library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details.

You should have received a copy of the GNU Lesser General Public License along with this library; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA

Download

  • (1037 Kbyte, "md5sum -b" hash: 5f3be860fa5b630cbce113e4a9bc6996)
  • Older versions, and beta releases are available in download area

Provided RPM versions are for  Distributions, and may not properly install in other distributions.

阅读(1664) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~