Page 1 of 3 123 LastLast
Results 1 to 10 of 25

Thread: Linux Login with Pam

Hybrid View

  1. #1

    Default Linux Login with Pam

    I have been struggling with setting up a NitroKey Storage key device and there are instructions on the NitroKey web site but...

    The instructions which seem to me simplest require Poldi and I cannot find this on the Tumbleweed repos I have installed.

    Pam_p11 is also suggested and is available in the repo but this approach appears to use X509 CA Certificates and this is well above my ability at present.

    How can I get Poldi and can anybody give any advice or experience using it please?

  2. #2
    Join Date
    Sep 2012
    Posts
    5,186

    Default Re: Linux Login with Pam

    Quote Originally Posted by Budgie2 View Post
    How can I get Poldi
    a) find someone who already built it for your distribution
    b) build it yourself
    c) ask someone to do it for you
    d) pay someone to do it for you

    I do not see anyone building it in OBS which with high probability means you realistically have only three options.

  3. #3
    Join Date
    Sep 2012
    Posts
    5,186

    Default Re: Linux Login with Pam

    Quote Originally Posted by Budgie2 View Post
    Pam_p11 is also suggested and is available in the repo but this approach appears to use X509 CA Certificates
    According to readme on pam_p11 site
    Code:
    Pam_p11 implements two authentication methods:
    
    • verify a token using a known public key found in OpenSSH's ~/.ssh/authorized_keys.
    • verify a token using a known certificate found in ~/.eid/authorized_certificates.

  4. #4

    Default Re: Linux Login with Pam

    Quote Originally Posted by arvidjaar View Post
    According to readme on pam_p11 site
    Code:
    Pam_p11 implements two authentication methods:
    
    • verify a token using a known public key found in OpenSSH's ~/.ssh/authorized_keys.
    • verify a token using a known certificate found in ~/.eid/authorized_certificates.
    OK and thanks again for the advice. I will research more on the Pam_p11 as I only checked one article by the author and it was over my head.

    Will also have a go at building poldi.

    Many thanks,
    Budge

  5. #5

    Default Re: Linux Login with Pam

    Hi and thanks again. I had been looking in the wrong place. The Nitrokey Applications gave me the link for Pam-PKCS11 manual which, not surprisingly, gives instructions for CS Certificate application. The documentation from Pam_p11 download is what you showed me and clearly covers both cases and I shall try and get working.
    There is one minor issue which is that the Pam_p11 version on repo site is slightly older than that on oss-sec website and when I tried to build it I ran into too many conflicts for my liking.

  6. #6
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    11,378
    Blog Entries
    2

    Default Re: Linux Login with Pam

    Worth reposting general posting "Best Practice"

    If you're following guide or instructions on the Internet, post a link to it.
    If you experience an error, post the command you ran and the exact output that results.

    An x509 certificate is simply a string of text characters that's used to authenticate, more specifically in web applications like a website or authenticating Users, commonly used in SSL connections.
    So, as described, an x509 certificate can be generated by various utilities like openssh and openssl.

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  7. #7

    Default Re: Linux Login with Pam

    Hi Tsu, sorry I was thinking out loud as it were. OK I have file in~/Downloads/pam_p11-0.3.1.tar.gz where I have extracted it. The installation instructions are straight forward so as instructed I ran:-

    Code:
    alastair@AJBR-W530:~/Downloads/pam_p11-0.3.1> ./configure --prefix=/usr --libdir=/lib/
    I ran this as me not root. I think all went OK after I had sorted out some conflicts.

    Running make gave me information which seemed to include errors and when I ran make install and this told me there were insufficient permissions for the installation. It seems to me I should run make install as root but possibly I should have run make also as root.
    Having run sudo make install everything ran as expected but I suspect some libraries may be in wrong place because I only ran make as me not sudo make.

    I hope this is making sense and would appreciate your advice before proceeding as there are instructions I do not understand at the end. Here is my console output, warts and all and I would very much appreciate your advice here.

    https://paste.opensuse.org/3863379

  8. #8
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    11,378
    Blog Entries
    2

    Default Re: Linux Login with Pam

    Quote Originally Posted by Budgie2 View Post
    Hi Tsu, sorry I was thinking out loud as it were. OK I have file in~/Downloads/pam_p11-0.3.1.tar.gz where I have extracted it. The installation instructions are straight forward so as instructed I ran:-

    Code:
    alastair@AJBR-W530:~/Downloads/pam_p11-0.3.1> ./configure --prefix=/usr --libdir=/lib/
    I ran this as me not root. I think all went OK after I had sorted out some conflicts.

    Running make gave me information which seemed to include errors and when I ran make install and this told me there were insufficient permissions for the installation. It seems to me I should run make install as root but possibly I should have run make also as root.
    Having run sudo make install everything ran as expected but I suspect some libraries may be in wrong place because I only ran make as me not sudo make.

    I hope this is making sense and would appreciate your advice before proceeding as there are instructions I do not understand at the end. Here is my console output, warts and all and I would very much appreciate your advice here.

    https://paste.opensuse.org/3863379
    Yes, your "make" returned a critical error.
    You should generally run a 3 commands as root (This is where you can take advantage of openSUSE permissive use of root to just run the commands in a root console instead of using sudo).

    So, as is typically, the case, just do that... run all 3 commands as root and you should be fine, the results should over-write your mistakes.

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  9. #9

    Default Re: Linux Login with Pam

    Hi Tsu,
    Many thanks for the advice. I have rebuilt and installed pam_p11 and there were no errors this time so I think all is OK except for the comment, still repeated after the install. The script for the whole process is in the suse past file above and in particular lines 393 to 418 and in particular line 405:-

    - have your system administrator add LIBDIR to '/etc/ld.so.conf'
    I do not understand the reference to LIBDIR.

    I had ignored this earlier thinking I would not need it but out of the blue, after logging in just now, a window opened with the text:-

    Code:
    add LIBDIR to etc/ld.so.conf
    the window appeared as a plain screen, no other text and I had difficulty removing it.

    Clearly I need to do as instructed if only I knew about LIBDIR.

  10. #10

    Default Re: Linux Login with Pam

    Still on the same problem there are instructions included in the README.md file included with pam_p11 package which after installation go on to explain usage of pam_p11 and this has details which I do not follow as the instructions included refer to files not actually installed. As you can tell I am working well beyond my paygrade but am determined to sort this out with help please. I have quoted the instructions below and not all but after the instructions for installation. I fall at the first fence because the second line, repeated here does not have line /usr/local/lib/security/pam_p11.so.

    auth sufficient /usr/local/lib/security/pam_p11.so /usr/local/lib/opensc-pkcs11.so
    The instructions gpo on as follows.

    ## Using pam_p11

    ### Login

    To use pam_p11 with some application like `sudo`, edit `/etc/pam.d/sudo` and add something like the following at the beginning of the file:

    ```
    auth sufficient /usr/local/lib/security/pam_p11.so /usr/local/lib/opensc-pkcs11.so
    ```

    Replace `/usr/local/lib/opensc-pkcs11.so` with your PKCS#11 implementation. Using an absolute path to `pam_p11.so` avoids the need to write to a system directory, which is especially useful for macOS with system integrity protection (SIP) enabled.

    An optional second argument to `pam_p11.so` may be used to check for a specific format when prompting for the token's password. On macOS this defaults to the regular expression `^[[:digit:]]*$` to avoid confusion with the user's password in the login screen. pam_p11 uses [POSIX-Extended Regular Expressions](https://man.openbsd.org/re_format.7) for matching.

    While testing it is best to keep a door open. Editing the configuration files from a different machine via SSH helps reverting a bad PAM login configuration. Replace `sufficient` with `required` and remove other unwanted PAM modules from the file only when you've successfully verified the configuration.

    To enable pam_p11 for all logins (graphical and terminal based), change the following configuration files as described above:

    | Operating System | PAM configuration file |
    | ---------------- | -------------------------- |
    | macOS | `/etc/pam.d/authorization` |
    | Debian | `/etc/pam.d/common-auth` |
    | Arch Linux | `/etc/pam.d/system-auth` |

    ### PIN change and unblock

    To allow changing and unblocking the PIN via pam_p11, add the following to your configuration:

    ```
    password optional /usr/local/lib/security/pam_p11.so /usr/local/lib/opensc-pkcs11.so
    ```

    An optional second argument to `pam_p11.so` may be used to check for a specific format when prompting for the token's password. On macOS this defaults to the regular expression `^[[:digit:]]*$` to avoid confusion with the user's password in the login screen. pam_p11 uses [POSIX-Extended Regular Expressions](https://man.openbsd.org/re_format.7) for matching.

    ### User configuration via `~/.eid/authorized_certificates`

    A user may create a `~/.eid/` directory and create a file `~/.eid/authorized_certificates` with authorized certificates. You can do that via

    ```
    mkdir -p ~/.eid
    chmod 0755 ~/.eid
    pkcs11-tool --read-object --type cert --id 45 --module /usr/lib/opensc-pkcs11.so --output-file cert.cer
    openssl x509 -inform DER -in cert.cer -outform PEM >> ~/.eid/authorized_certificates
    chmod 0644 ~/.eid/authorized_certificates
    ```

    This example uses the `pkcs11-tool` command from opensc to read a certificate (id `45`) from the smart card. Use `pkcs11-tool --list-objects --type cert --module /usr/lib/opensc-pkcs11.so` to view all certificates available on the card.

    It is very important that only the user of the file can write to it. You can have any number of certificates in that file. The certificates need to be in PEM format. DER format is not supported.

    ### User configuration via `~/.ssh/authorized_keys`

    A user may create a `~/.ssh/` directory and create a file `~/.ssh/authorized_keys` with authorized public keys. You can do that via

    ```
    mkdir -p ~/.ssh
    chmod 0755 ~/.ssh
    ssh-keygen -D /usr/lib/opensc-pkcs11.so >> ~/.ssh/authorized_keys
    chmod 0644 ~/.ssh/authorized_keys
    ```

    This example uses the `ssh-keygen` command from openssh to read the default user public key (id 45) from the smart card in reader 0. Note that this tool prints the public keys in two formats: ssh v1 and ssh v2 format. It is recommended to edit the file and delete one of those two lines. Also you might want to add a comment / identifier at the end of the line.

    It is very important that only the user of the file can write to it. You can have any number of public keys in that file.

    Note it is currently not possible to convert existing ssh keys into pem format and store them on a smart card. (To be precise: OpenSC has no such functionality, not sure about other implementations.)

    ## Security Note

    pam_p11 simply compares public keys and request the cryptographic token to sign some random data and verifiy the signature with the public key. No CA chain checking is done, no CRL is looked at, and they don't know what OCSP is. This works fine for small installations, but if you want any of those features, please have a look at [Pam_pkcs11](https://github.com/OpenSC/pam_pkcs11) for a fully fledged PAM module for smart card authentication.
    I hope this can be resolved and many thanks for all the help so far.

    Budgie2

Page 1 of 3 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •