-
Notifications
You must be signed in to change notification settings - Fork 0
/
README
57 lines (53 loc) · 3.39 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
This software is designed for GNU/Linux with glibc 2.1 or later.
Summary: PAM module to authenticate using an LCMAPSd service.
Author: Mischa Sall\'e, msalle (at) nikhef (dot) nl
License: Apache 2
Dependencies: libcurl, libjson (json-c)
Description: Provides a PAM module that can authenticate against an LCMAPSd
service. It can use either a proxy, e.g. obtained via pam_myproxy
or using DN (in future also FQANs). In the latter case, it is
necessary that another module has authenticated the input DN, e.g
via pam_radius. In case of using a proxy, it can optionally chown
the proxyfile to target_uid:target_gid. It can also rename the
proxy such that it contains the uid, in that case the env variable
X509_USER_PROXY is updated to point to the new file.
Currently implemented interfaces are:
pam_sm_authenticate - does LCMAPSd callout to obtain uid/gid
pam_sm_acct_mgmt - idem
pam_sm_setcred - optionally chowns and renames the
proxy to match the target uid/gid
pam_sm_open_session - idem
pam_sm_close_session - always successful
Options can be given either on the pam commandline or in a config
file which can be specified on the pam commandline.
Valid options:
config - only on commandline: specifies path of config
file
capath - as understood by openssl and curl
cafile - idem
hostcert - idem (corresponding to clientcert)
hostkey - idem
lcmapsd_url - LCMAPSd url, e.g.
https://localhost:8443/lcmaps/mapping/ssl
lcmapsd_timeout - LCMAPSd timeout (default 1 sec)
lcmapsd_mode - basic or full (default)
proxyfmt - format for renaming, %d is replaced with
target_uid, XXXXXX as in mkstemp() (default
/tmp/x509up_u%d.XXXXXX)
rename - whether to rename (default 1, i.e. yes)
chown - whether to chown (default 1, i.e. yes)
del_proxy_on_fail- remove proxy upon failure (default 0, i.e.
no)
proxy_as_cafile - use proxy also as cafile, probably needed on
RH 6 and alike (default 0, i.e. no)
intern_env - whether to use the pam environment to pass
data from pam_sm_authenticate or
pam_sm_account to pam_sm_setcred or
pam_sm_open_session. This is needed for use
with OpenSSH (default 1, i.e. yes)
Example: E.g.
auth required pam_lcmapsd.so capath=/etc/grid-security/certificates lcmapsd_timeout=2
Notes: Currently the LCMAPSd does not yet have support for passing FQANs
via the restful interface and hence the pam_lcmapsd does not yet
use the FQANs. Also the sgids are currently not yet parsed from
the json output.