Modify PAM-AUTHTOK for next modules

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Modify PAM-AUTHTOK for next modules

eferro
Hi guys,

I am working to make login authentication using smart card over an ldap server. My company ask me to use only smart card PIN do do all the work. In other words I have to do groups.so and mount.so (need ldap password) and this password is cryptpassword field in ldap server.=20

So I have read all pkcs11 and PAM documentation and do not discovery how to do that. I think the only way to do the work is modify pam-pkcs11 to make it change PAM-AUTHTOK doing a search in ldap server.

I would like hear your opinion for this subject. Thank you in advantage.

--
“Se você quer ir rápido, vá sozinho. Se quer ir longe, vá acompanhado." (provérbio africano)
--------------------------------------------------------------------------------
Emmanuel Ferro
SERPRO - Escritório São Luís
SUPOP/OPFLA/OPSLS
Comitê Regional de Software Livre
--------------------------------------------------------------------------------


-


"Esta mensagem do SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO), empresa pública federal regida pelo disposto na Lei Federal nº 5.615, é enviada exclusivamente a seu destinatário e pode conter informações confidenciais, protegidas por sigilo profissional. Sua utilização desautorizada é ilegal e sujeita o infrator às penas da lei. Se você a recebeu indevidamente, queira, por gentileza, reenviá-la ao emitente, esclarecendo o equívoco."

"This message from SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO) -- a government company established under Brazilian law (5.615/70) -- is directed exclusively to its addressee and may contain confidential data, protected under professional secrecy rules. Its unauthorized use is illegal and may subject the transgressor to the law's penalties. If you're not the addressee, please send it back, elucidating the failure."

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Modify PAM-AUTHTOK for next modules

Douglas E Engert


On 5/22/2015 6:03 AM, Emmanuel Nazareno de Lima Ferro wrote:
> Hi guys,
>
> I am working to make login authentication using smart card over an ldap server. My company ask me to use only smart card PIN do do all the work. In other words I have to do groups.so and mount.so
> (need ldap password) and this password is cryptpassword field in ldap server.=20
>
> So I have read all pkcs11 and PAM documentation and do not discovery how to do that. I think the only way to do the work is modify pam-pkcs11 to make it change PAM-AUTHTOK doing a search in ldap server.
>
(Most likely, because retrieving a user password is not the way to do it. You should be able to eliminate the need for a user password.)

> I would like hear your opinion for this subject. Thank you in advantage.

The bindDN used to get the user's groups does not have to be the same as the bindDN used to authenticate the user.
They could be used with different LDAP databases too.

So an existing NSS database could be used. http://en.wikipedia.org/wiki/Name_Service_Switch

A generic read only account could be used for binding to NSS, with the password stored on the client machine.
The same account could be shared by many machines. This assumes that the data being read is not sensitive
as any client machine could read the data for any user (but not any passwords.)

I think I mentioned this before, If your company has Windows Active Directory and your users are in AD, look
at pam_krb that supports PKINIT that uses smart cards. Your linux distro may already have this.
Look for pkinit in the man pages for your distro's pam_krb5.

https://packages.debian.org/wheezy/libpam-krb5

http://www.eyrie.org/~eagle/software/pam-krb5/pam-krb5.html
This uses PKCS#11 to access the smart card, and works with OpenSC.

What I am also saying is the OpenSC pam_pkcs11 is not a network authentication, whereas the pam_krb5 is
it gives you back kerberos tickets, that can be used for further authentication to other services.
You may want to consider if you are looking for an enterprise wide solution or just authentication to
a handful of local clients.






>
> --
> “Se você quer ir rápido, vá sozinho. Se quer ir longe, vá acompanhado." (provérbio africano)
> --------------------------------------------------------------------------------
> Emmanuel Ferro
> SERPRO - Escritório São Luís
> SUPOP/OPFLA/OPSLS
> Comitê Regional de Software Livre
> --------------------------------------------------------------------------------
>
> -
>
>
> "Esta mensagem do SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO), empresa pública federal regida pelo disposto na Lei Federal nº 5.615, é enviada exclusivamente a seu destinatário e pode conter
> informações confidenciais, protegidas por sigilo profissional. Sua utilização desautorizada é ilegal e sujeita o infrator às penas da lei. Se você a recebeu indevidamente, queira, por gentileza,
> reenviá-la ao emitente, esclarecendo o equívoco."
>
> "This message from SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO) -- a government company established under Brazilian law (5.615/70) -- is directed exclusively to its addressee and may contain
> confidential data, protected under professional secrecy rules. Its unauthorized use is illegal and may subject the transgressor to the law's penalties. If you're not the addressee, please send it
> back, elucidating the failure."
>
>
> ------------------------------------------------------------------------------
> One dashboard for servers and applications across Physical-Virtual-Cloud
> Widest out-of-the-box monitoring support with 50+ applications
> Performance metrics, stats and reports that give you Actionable Insights
> Deep dive visibility with transaction tracing using APM Insight.
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>
>
>
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel