SourceFiles.org - Use the Source, Luke
Home | Register | News | Forums | Guide | MyLinks | Bookmark

Related Sites

Latest News
  General News
  Reviews
  Press Releases
  Software
  Hardware
  Security
  Tutorials
  Off Topic


Back to files

pam_idcheck PAM module

Stephen Grier, QMUL, 26 May 2005
$Id: README,v 1.5.2.1 2006/08/08 13:26:05 martin Exp $

PAM is Pluggable Authentication Modules for Unix-like systems. It is a set of libraries that provide an authentication abstraction layer for system applications.

pam_idcheck is a PAM module for authenticating against the QMUL idcheck service.

Installing pam_idcheck

The pam_idcheck module requires the apache2 APR libraries. You will need to install apache2 as a prerequisite before pam_idcheck will compile.

To build pam_idcheck do:

$ ./configure
$ make

Note: if you're building pam_idcheck straight out of the CVS you will need to create configure and config.h first by doing the following:

$ autoheader
$ aclocal
$ automake [--add-missing]
$ autoconf

The resulting pam_idcheck.so file should be copied to the default PAM module library location, usually /lib/security/. You will then need to configure a PAM service in your /etc/pam.conf. You'll want something like:

[service name] auth required pam_idcheck.so idcheckurl=http://idcheck.qmul.ac.uk/idcheck

You can specify the try_first_pass option if you want pam_idcheck to try the authentication token from a previous PAM module if used in a stack. Specify use_first_pass if you want to stop pam_idcheck from retrieving the authentication token itself via the application's conversation callback function.

You can control authorization via the account group. The idcheckallowdata option will restrict access according to the authz data in the idcheck response. The idcheckallowuser option will restrict access to a particular user. These options can appear multiple times and are logically OR'd together, ie. just one of these needs to match to permit access. For example, the pam.conf line:

[service name] account required pam_idcheck.so idcheckallowdata=proxy:container=ou=people idcheckallowuser=cgaa ignore_no_module_data

will restrict access to users in the ou=people LDAP container, OR usernames beginning with "cgaa". If no options are set all authenticated users will be permitted access.

The ignore_no_module_data option is necessary in cases where another module might handle authentication (ie. in a stack) and you do not want pam_idcheck to perform authorization checks on those logins.

You can test pam_idcheck using the pamtest utility. To build this, do:

$ make test
$ ./pamtest [pam service] [username]


Other Sites

Discussion Groups
  Beginners
  Distributions
  Networking / Security
  Software
  PDAs

About | FAQ | Privacy | Awards | Contact
Comments to the webmaster are welcome.
Copyright 2006 Sourcefiles.org All rights reserved.