NSS (Name Service Switch) Module for Securepass
C Shell C++ Makefile M4
Pull request Compare This branch is 2 commits ahead, 2 commits behind gplll:master.
Latest commit 617d91a Feb 10, 2017 @gpaterno gpaterno fix for SLES/OpenSUSE
Permalink
Failed to load latest commit information.
ADD_GROUPS.sh Added support for Posix groups Feb 6, 2017
ADD_USERS.sh Added PAM Module Aug 11, 2015
DEL_USERS.sh Added PAM Module Aug 11, 2015
DO_TEST.sh Added PAM Module Aug 11, 2015
LICENSE integrated _service from deneb-alpha Feb 4, 2015
LICENSE_APACHE2 Converted file to unix format Feb 4, 2015
LICENSE_GNUGPL integrated _service from deneb-alpha Feb 4, 2015
LICENSE_MIT Converted file to unix format Feb 4, 2015
Makefile.in Added support for Posix groups Feb 6, 2017
README.md Added support for Posix groups Feb 6, 2017
_service
config.guess
config.sub commit Oct 24, 2014
configure added configure Aug 11, 2015
configure.ac Added PAM Module Aug 11, 2015
install-sh
jsmn.c
jsmn.h first commit Oct 20, 2014
minGlue.h
minIni.c first commit Oct 20, 2014
minIni.h first commit Oct 20, 2014
nss-securepass.spec
nss_client.c
nss_sp.c Added support for Posix groups Feb 6, 2017
nss_sp.h Added support for Posix groups Feb 6, 2017
pam_client.c documentation fix Aug 11, 2015
pam_sp.c
pam_sp.h
securepass.conf.template
sp_api.c Added support for Posix groups Feb 6, 2017
sp_api.h Added support for Posix groups Feb 6, 2017
sp_client.c Added support for Posix groups Feb 6, 2017
test.ini
test_ini.c first commit Oct 20, 2014

README.md

NSS and PAM modules for SecurePass

This repository contains an NSS module and a PAM module for users defined on SecurePass. SecurePass provides web single sign-on through the CAS protocol.

More on SecurePass at http://www.secure-pass.net

To install and configure the modules:

  • Install libcurl development package (e.g. libcurl4-gnutls-dev under Ubuntu)
  • Install libpam development package (e.g. libpam0g-dev under Ubuntu)
  • ./configure
  • make
  • make install
  • Copy file securepass.conf.template into /etc/securepass.conf (uid=root, gid=root, perms=600)
  • See the instructions into the file to configure the module
  • Edit file /etc/nssswitch.conf and add service 'sp' to the passwd line (e.g. 'passwd: compat sp')
  • Edit file /etc/nssswitch.conf and add service 'sp' to the group line (e.g. 'group: compat sp')
  • (recommended) start nscd (Name Service Cache Daemon)
  • Configure PAM module (/lib/security/pam_sp_auth.so) under /etc/pam.d
  • This repo includes the following sample programs to test the SecurePass, NSS and PAM APIs: sp_client, nss_client, pam_client

Note: Due to the current limitations, be aware that the parameter endpoint must be set to https://beta.secure-pass.net/ in /etc/securepass.conf.

NSS module

There are reserved words in SecurePass extended attributes:

  • posixuid -> UID of the user
  • posixgid -> GID of the user
  • posixhomedir -> Home directory
  • posixshell -> Desired shell
  • posixgecos -> Gecos (defaults to username)

posixuid is the only required extended attribute, this is needed to recognize a SecurePass user as a Unix user. For any other parameter, you need to set defaults in /etc/securepass.conf:

[nss]
realm = domain.com
default_gid = 100
default_home = "/home"
default_shell = "/bin/bash"

PAM module

The PAM module works both for authentication and for password changing. In order to be able to change your password with the PAM module, the API key must be read-write. Read-only API keys will result in an error.

An example of PAM configuration under /etc/pam.d/:

password   required   /lib/security/pam_sp.so
auth       required   /lib/security/pam_sp.so

Author

gplll1818@gmail.com, Oct 2014 - Feb 2017