Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Fetching contributors…

Cannot retrieve contributors at this time

55 lines (42 sloc) 2.34 kb
Quick start guide to using the pam module
=========================================
The pam module supports two different flavors:
a) "eid" - store the certificate for a user in that
users home directory in a file called ".eid/authorized_certificates"
b) "ldap" - store the certificate for a user in a central ldap
repository
This guide only deals with flavor a). If you want to add documentation
on using pam with ldap, please send a patch to the opensc-devel mailing
list. See also the PAM section in the OpenSC HTML docs.
First initialize the token, create a user with a pin, create a key
and create a certificate, all as documented in the QUICKSTART file.
The first thing is to copy the opensc pam module to the right location.
Pam modules are searched for in the directory /lib/security/.
$ cp /usr/lib/security/pam_opensc.so /lib/security/pam_opensc.so
Now change one service to use this pam module by default. Keep at least
one xterm and/or virtual console open as root, so you can undo any
configuration change, in case it does not work.
Edit for example /etc/pam.d/login and replace
auth required pam_unix.so nullok
with
auth required pam_opensc.so
If you want to use opensc first, and fall back on normal password based
authentication, you could use these two lines:
auth sufficient pam_opensc.so
auth required pam_unix.so nullok
Note the first line is marked as "sufficient", so successful smart card
authentication will let a user in. If both lines read "required", a user
would have to use a smart card with the right key and certificate on it,
enter the right pin *AND* have the right password for the normal login
procedure.
Now every user needs to create a directory ".eid" in his or her home
directory and put the certificate in a file called "authorized_certificates".
To do this, enter the command (beware, this will overwrite the file):
$ pkcs15-tool -r 45 -o ~/.eid/authorized_certificates
Now try to login using the smart card. Remember to first insert your
smart card into the reader, then enter your username, and then the
pin on your key.
As of OpenSC version 0.9.2, ~/.eid/authorized_certificates can contain
multiple certificates. To use multiple certificates there, simply
concatenate them, for example like
$ pkcs15-tool -r 45 >> ~/.eid/authorized_certificates
Jump to Line
Something went wrong with that request. Please try again.