• HowTos
• eToken_and_PAM

Howto use eToken and PAM (Pluggable Authentication Modules)

• date: 14.04.2008

• author: CorneliusKoelbel

• <cornelius.koelbel AT lsexperts DOT de>

• used eToken hardware: eTokenPro, eTokenNG OTP, eTokenNG Flash
• used eToken RTE Version: 3.65, 4.55

pkcs11 and PAM

You can also configure PAM to use a pkcs11-lib. Download the pam_pkcs11-module here:

http://www.opensc-project.org/pam_pkcs11/

Using this module, you can change all the pam-configs and thus use the pkcs11-lib for

• login
• gnome
• kde
• su / sudo
• ...

You can not use the pam_pkcs11 for openssh, since the eToken would be supposed to be plugged in at your client machine, but the pam is checked at the server machine!

configure pam_pkcs11

Warning: The default config directory changed from /etc/pkcs11 to /etc/pam_pkcs11 in version 0.5.3

Edit the File /etc/pkcs11/pam_pkcs11.conf

  --snip--
  use_pkcs11_module = aladdin;

  pkcs11_module aladdin {
        module = /usr/lib/libeTPkcs11.so;
        description = "Aladdin PKCS#11 module";
        slot_num=0;
        ca_dir = /etc/pam_pkcs11/cacerts;
        crl_dir = /etc/pam_pkcs11/crls;
        support_threads = false;
        cert_policy = ca,signature;
  }
  --snip--

The pkcs11-lib, that is supposed to be used by pam_pkcs11 is the same module we were using for thunderbird: /usr/local/lib/libetpkcs11.so.

You also have to take a look at ca_dir and crl_dir. Here you have to put the certificate of the certificate authority, that signed your user-certificate. crl_dir contains your revocation list.

Copy the ca-cert to the ca_dir and the crl's to crl_dir.

Now you have to generate the hash_links. You can user the skript make_hash_link.sh for it.

  make_hash_link.sh /etc/pkcs11/<ca_dir>

Mapping

Watch out: Under Windows there is the certificate attribute 'Login-cetificate'. The eToken may only contain one Windows Login-certificate. This attribute is not necessary under Linux. Thus you

• have to enter the username, when you want to login using the eToken
• and you have to define, what username shall fit to which certificate.

For the second there is the mapping.

There is the option use_mappers in the file /etc/pkcs11/pam_pkcs11.conf.

Interesting mappers are

• cn for 'common name': The username has to fit the common name of the certificate

• subject: You can specify in a mapping file, which distinguished name should fit to which user.

• ldap: you can define your users contained in an ldap server or an active directory.

Login using a certificate

Now we have to configure PAM, to use our pkcs11-lib.

As an example we take a look at /etc/pam.d/login of Fedora Core 4:

 --snip--
 #%PAM-1.0
 auth       required     pam_securetty.so
 auth       required     pam_stack.so service=system-auth
 auth       required     pam_nologin.so
 account    required     pam_stack.so service=system-auth
 password   required     pam_stack.so service=system-auth
 session    required     pam_selinux.so multiple
 session    required     pam_stack.so service=system-auth
 session    optional     pam_console.so
 --snip--

We have to change the authentication (auth). Fedore Core uses pam stacking. At the moment auth is done by system-auth. We will write a new file system-auth-sc (sc=smartcard), that will do the authentication using the eToken. So the new file /etc/pam.d/login will look like this:

 --snip--
 #%PAM-1.0
 auth       required     pam_securetty.so
 auth       required     pam_stack.so service=system-auth-sc
 auth       required     pam_nologin.so
 account    required     pam_stack.so service=system-auth
 password   required     pam_stack.so service=system-auth
 session    required     pam_selinux.so multiple
 session    required     pam_stack.so service=system-auth
 session    optional     pam_console.so
 --snip--

Now we will construct the file /etc/pam.d/system-auth-sc. For this we take the file system-auth and copy it to system-auth-sc. We just change one line:

  auth        sufficient    /lib/security/$ISA/pam_unix.so

that line authenticate the user against the passwd i.e. the shadow password file. We change this line to:

  auth        sufficient    /lib/security/$ISA/pam_pkcs11.so crl_policy=none

so that the authentication will be done by pam_pkcs11!

Now the login will look like this:

 login: koelbel
 Password for token eToken:

You can add the option debug after pam_pkcs11.so, that will give you many usefull debug information. But it will also type you eToken PIN in clear text to the screen!

KDE Login using a certificate

Having the file /etc/pam.d/system-auth-sc now, makes it easy to use the eToken for any other kind like your xwindow. Just add the -sc to the system-auth in /etc/pam.d/gdm or whatever!

either - or

Now, only users that have an eToken are allowed to log in. You can start playing around with pam:

 auth            sufficient      /lib/security/pam_unix.so
 auth            sufficient      /lib/security/pam_pkcs11.so

will allow users who either know their password or own their eToken to log in.

necessary downloads

http://www.opensc-project.org/pam_pkcs11/