NSS (Name Service Switch) Module for Securepass
C Shell C++ Makefile M4
Switch branches/tags
Clone or download
Pull request Compare This branch is 2 commits ahead, 2 commits behind gplll:master.
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
ADD_GROUPS.sh
ADD_USERS.sh
DEL_USERS.sh
DO_TEST.sh
LICENSE
LICENSE_APACHE2
LICENSE_GNUGPL
LICENSE_MIT
Makefile.in
README.md
_service
config.guess
config.sub
configure
configure.ac
install-sh
jsmn.c
jsmn.h
minGlue.h
minIni.c
minIni.h
nss-securepass.spec
nss_client.c
nss_sp.c
nss_sp.h
pam_client.c
pam_sp.c
pam_sp.h
securepass.conf.template
sp_api.c
sp_api.h
sp_client.c
test.ini
test_ini.c

README.md

NSS and PAM modules for SecurePass

This repository contains an NSS module and a PAM module for users defined on SecurePass. SecurePass provides web single sign-on through the CAS protocol.

More on SecurePass at http://www.secure-pass.net

To install and configure the modules:

  • Install libcurl development package (e.g. libcurl4-gnutls-dev under Ubuntu)
  • Install libpam development package (e.g. libpam0g-dev under Ubuntu)
  • ./configure
  • make
  • make install
  • Copy file securepass.conf.template into /etc/securepass.conf (uid=root, gid=root, perms=600)
  • See the instructions into the file to configure the module
  • Edit file /etc/nssswitch.conf and add service 'sp' to the passwd line (e.g. 'passwd: compat sp')
  • Edit file /etc/nssswitch.conf and add service 'sp' to the group line (e.g. 'group: compat sp')
  • (recommended) start nscd (Name Service Cache Daemon)
  • Configure PAM module (/lib/security/pam_sp_auth.so) under /etc/pam.d
  • This repo includes the following sample programs to test the SecurePass, NSS and PAM APIs: sp_client, nss_client, pam_client

Note: Due to the current limitations, be aware that the parameter endpoint must be set to https://beta.secure-pass.net/ in /etc/securepass.conf.

NSS module

There are reserved words in SecurePass extended attributes:

  • posixuid -> UID of the user
  • posixgid -> GID of the user
  • posixhomedir -> Home directory
  • posixshell -> Desired shell
  • posixgecos -> Gecos (defaults to username)

posixuid is the only required extended attribute, this is needed to recognize a SecurePass user as a Unix user. For any other parameter, you need to set defaults in /etc/securepass.conf:

[nss]
realm = domain.com
default_gid = 100
default_home = "/home"
default_shell = "/bin/bash"

PAM module

The PAM module works both for authentication and for password changing. In order to be able to change your password with the PAM module, the API key must be read-write. Read-only API keys will result in an error.

An example of PAM configuration under /etc/pam.d/:

password   required   /lib/security/pam_sp.so
auth       required   /lib/security/pam_sp.so

Author

gplll1818@gmail.com, Oct 2014 - Feb 2017