Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 25

Thread: Linux Login with Pam

  1. #11

    Default Re: Linux Login with Pam

    Still on the same problem there are instructions included in the README.md file included with pam_p11 package which after installation go on to explain usage of pam_p11 and this has details which I do not follow as the instructions included refer to files not actually installed. As you can tell I am working well beyond my paygrade but am determined to sort this out with help please. I have quoted the instructions below and not all but after the instructions for installation. I fall at the first fence because the second line, repeated here does not have line /usr/local/lib/security/pam_p11.so.

    auth sufficient /usr/local/lib/security/pam_p11.so /usr/local/lib/opensc-pkcs11.so
    The instructions gpo on as follows.

    ## Using pam_p11

    ### Login

    To use pam_p11 with some application like `sudo`, edit `/etc/pam.d/sudo` and add something like the following at the beginning of the file:

    ```
    auth sufficient /usr/local/lib/security/pam_p11.so /usr/local/lib/opensc-pkcs11.so
    ```

    Replace `/usr/local/lib/opensc-pkcs11.so` with your PKCS#11 implementation. Using an absolute path to `pam_p11.so` avoids the need to write to a system directory, which is especially useful for macOS with system integrity protection (SIP) enabled.

    An optional second argument to `pam_p11.so` may be used to check for a specific format when prompting for the token's password. On macOS this defaults to the regular expression `^[[:digit:]]*$` to avoid confusion with the user's password in the login screen. pam_p11 uses [POSIX-Extended Regular Expressions](https://man.openbsd.org/re_format.7) for matching.

    While testing it is best to keep a door open. Editing the configuration files from a different machine via SSH helps reverting a bad PAM login configuration. Replace `sufficient` with `required` and remove other unwanted PAM modules from the file only when you've successfully verified the configuration.

    To enable pam_p11 for all logins (graphical and terminal based), change the following configuration files as described above:

    | Operating System | PAM configuration file |
    | ---------------- | -------------------------- |
    | macOS | `/etc/pam.d/authorization` |
    | Debian | `/etc/pam.d/common-auth` |
    | Arch Linux | `/etc/pam.d/system-auth` |

    ### PIN change and unblock

    To allow changing and unblocking the PIN via pam_p11, add the following to your configuration:

    ```
    password optional /usr/local/lib/security/pam_p11.so /usr/local/lib/opensc-pkcs11.so
    ```

    An optional second argument to `pam_p11.so` may be used to check for a specific format when prompting for the token's password. On macOS this defaults to the regular expression `^[[:digit:]]*$` to avoid confusion with the user's password in the login screen. pam_p11 uses [POSIX-Extended Regular Expressions](https://man.openbsd.org/re_format.7) for matching.

    ### User configuration via `~/.eid/authorized_certificates`

    A user may create a `~/.eid/` directory and create a file `~/.eid/authorized_certificates` with authorized certificates. You can do that via

    ```
    mkdir -p ~/.eid
    chmod 0755 ~/.eid
    pkcs11-tool --read-object --type cert --id 45 --module /usr/lib/opensc-pkcs11.so --output-file cert.cer
    openssl x509 -inform DER -in cert.cer -outform PEM >> ~/.eid/authorized_certificates
    chmod 0644 ~/.eid/authorized_certificates
    ```

    This example uses the `pkcs11-tool` command from opensc to read a certificate (id `45`) from the smart card. Use `pkcs11-tool --list-objects --type cert --module /usr/lib/opensc-pkcs11.so` to view all certificates available on the card.

    It is very important that only the user of the file can write to it. You can have any number of certificates in that file. The certificates need to be in PEM format. DER format is not supported.

    ### User configuration via `~/.ssh/authorized_keys`

    A user may create a `~/.ssh/` directory and create a file `~/.ssh/authorized_keys` with authorized public keys. You can do that via

    ```
    mkdir -p ~/.ssh
    chmod 0755 ~/.ssh
    ssh-keygen -D /usr/lib/opensc-pkcs11.so >> ~/.ssh/authorized_keys
    chmod 0644 ~/.ssh/authorized_keys
    ```

    This example uses the `ssh-keygen` command from openssh to read the default user public key (id 45) from the smart card in reader 0. Note that this tool prints the public keys in two formats: ssh v1 and ssh v2 format. It is recommended to edit the file and delete one of those two lines. Also you might want to add a comment / identifier at the end of the line.

    It is very important that only the user of the file can write to it. You can have any number of public keys in that file.

    Note it is currently not possible to convert existing ssh keys into pem format and store them on a smart card. (To be precise: OpenSC has no such functionality, not sure about other implementations.)

    ## Security Note

    pam_p11 simply compares public keys and request the cryptographic token to sign some random data and verifiy the signature with the public key. No CA chain checking is done, no CRL is looked at, and they don't know what OCSP is. This works fine for small installations, but if you want any of those features, please have a look at [Pam_pkcs11](https://github.com/OpenSC/pam_pkcs11) for a fully fledged PAM module for smart card authentication.
    I hope this can be resolved and many thanks for all the help so far.

    Budgie2

  2. #12

    Default Re: Linux Login with Pam

    Quote Originally Posted by malcolmlewis View Post
    Hi
    That is just plain asinine, configure and build as your user, install as root.....
    Oh dear I am a bit confused. My first attempt at the three stage process of

    Code:
    ./configure, make and make install
    was first done as my user and I saw there were permission problems so I ran the last stage again as

    Code:
    sudo make install
    which might have been how I now interpret Malcolm's instruction. Having seen there might have still been similar errors and with Tsu's advice I ran the whole lot as root.

    This might explain why I do not have all that I needed in /usr/local/lib/security. I do not want to provoke an argument through my own ignorance so await further advice.
    Hows this for encryption!

  3. #13
    Join Date
    Sep 2012
    Posts
    5,141

    Default Re: Linux Login with Pam

    Quote Originally Posted by Budgie2 View Post
    the second line, repeated here does not have line /usr/local/lib/security/pam_p11.so.
    If this sentence is supposed to mean "you do not have file /usr/local/lib/security/pam_p11.so on your system" - it was your decision to install pam_p11 from source instead of using package that is part of openSUSE. How should we know where you decided to install this file?

    If you intended to say something different, please clarify.

  4. #14
    Join Date
    Jun 2008
    Location
    Podunk
    Posts
    26,864
    Blog Entries
    15

    Default Re: Linux Login with Pam

    Quote Originally Posted by arvidjaar View Post
    If this sentence is supposed to mean "you do not have file /usr/local/lib/security/pam_p11.so on your system" - it was your decision to install pam_p11 from source instead of using package that is part of openSUSE. How should we know where you decided to install this file?

    If you intended to say something different, please clarify.
    Hi
    From the configure command, likely installed in in /lib (--libdir=/lib/), but I do concur as to why the openSUSE packages are not used, if there is an issue, a bug report is always a good stop to get support added?
    Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
    SUSE SLE, openSUSE Leap/Tumbleweed (x86_64) | GNOME DE
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below... Thanks!

  5. #15
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    11,296
    Blog Entries
    2

    Default Re: Linux Login with Pam

    It's one of those files that defines the PATHs on your machine.
    You can open that file and find that it already contains the usual paths pointing to where libraries are normally installed on your machine.
    But, what you just built apparently didn't install in any of the locations defined,
    So you have two options...
    Move the files to one of the locations defined in /etc/ld.so.conf (This I recommend)
    or
    as described, edit the file to add a new path to your library.

    Or,
    I'm not sure why the above are the recommendations...
    I'd instead recommend if not the first option I described, add to your LD_LIBRARY_PATH by making an "export" entry in a /etc/profiles.local
    (Well known alternative is to add to your bashrc)
    Then run ldconfig or reboot to activate the path.

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  6. #16

    Default Re: Linux Login with Pam

    Quote Originally Posted by malcolmlewis View Post
    Hi
    From the configure command, likely installed in in /lib (--libdir=/lib/), but I do concur as to why the openSUSE packages are not used, if there is an issue, a bug report is always a good stop to get support added?
    Hi Malcolm and thanks for the reply. I am not qualified to go as far as a bug report and it is entirely possible, indeed probable that the fault is mine.

    Arvidjaar in his often acerbic manner has pointed out that I should have installed from openSUSE and indeed that is what I would have done if I had found it through YAST but at that time I the required repo (http://download.opensuse.org/reposit...SE_Tumbleweed/) was not installed and I didn't know of this repo but found the download file and fetched it from OpenSC.

    Hindsight is a wonderful thing but I am learning all the time and would like to continue if you are willing. What I would like to know is which is the correct way to approach the ./configur, make, make install pattern.

    I shall now follow Tsu's advice on getting the paths correct and try and make progress.

  7. #17

    Default Re: Linux Login with Pam

    Quote Originally Posted by tsu2 View Post
    It's one of those files that defines the PATHs on your machine.
    You can open that file and find that it already contains the usual paths pointing to where libraries are normally installed on your machine.
    But, what you just built apparently didn't install in any of the locations defined,
    So you have two options...
    Move the files to one of the locations defined in /etc/ld.so.conf (This I recommend)
    or
    as described, edit the file to add a new path to your library.

    Or,
    I'm not sure why the above are the recommendations...
    I'd instead recommend if not the first option I described, add to your LD_LIBRARY_PATH by making an "export" entry in a /etc/profiles.local
    (Well known alternative is to add to your bashrc)
    Then run ldconfig or reboot to activate the path.

    TSU
    Hi Tsu, I am being thick again and would open it if I could find it, but I cannot find LIBDIR. Could it be it has not been created?

  8. #18
    Join Date
    Sep 2012
    Posts
    5,141

    Default Re: Linux Login with Pam

    Quote Originally Posted by Budgie2 View Post
    pam_p11 (and opensc) are part of standard Tumbleweed, no additional repository is required. Did you try "zypper in pam_p11"?

  9. #19

    Default Re: Linux Login with Pam

    Hi arvdjaar and thanks for your question. I transitioned from Leap 15.1 to Tumbleweed only recently and at that time only three repos were initially installed as I recall.

    Whatever the case I then added packman and libdvdcss.

    For package installation I use yast and have never been accustomed to using zypper although I know I should. It has only been since Tumbleweed that I learned to use zypper for package updates and certainly never thought to try zypper in pam_p11. At the time I could not find pam_p11 using yast software manager. It was only after I installed the security repo that pam_p11 was found using yast.

    More important for me is should I unwind from here and start over? Is that what you suggest or would you be able to help me sort this out without removing anything but checking the configuration and rectifying any anomalies?

  10. #20
    Join Date
    Jun 2008
    Location
    Podunk
    Posts
    26,864
    Blog Entries
    15

    Default Re: Linux Login with Pam

    Quote Originally Posted by Budgie2 View Post
    Hi Malcolm and thanks for the reply. I am not qualified to go as far as a bug report and it is entirely possible, indeed probable that the fault is mine.

    Arvidjaar in his often acerbic manner has pointed out that I should have installed from openSUSE and indeed that is what I would have done if I had found it through YAST but at that time I the required repo (http://download.opensuse.org/reposit...SE_Tumbleweed/) was not installed and I didn't know of this repo but found the download file and fetched it from OpenSC.

    Hindsight is a wonderful thing but I am learning all the time and would like to continue if you are willing. What I would like to know is which is the correct way to approach the ./configur, make, make install pattern.

    I shall now follow Tsu's advice on getting the paths correct and try and make progress.
    Hi
    Wherever you ran make install from you should be able to just run make uninstall and it will remove everything.

    Not sure why you just didn't install from the main repository?

    Code:
    zypper if pam_p11
    
    Information for package pam_p11:
    --------------------------------
    Repository     : Main Repository (OSS)                                   
    Name           : pam_p11                                                 
    Version        : 0.3.0-1.1
    I would suggest sticking with the distribution version, adding the development repository is somewhat pointless (unless testing a fix, just impatient etc) as the packages here will eventually make it into Tumbleweed.
    Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
    SUSE SLE, openSUSE Leap/Tumbleweed (x86_64) | GNOME DE
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below... Thanks!

Page 2 of 3 FirstFirst 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •