headers
Aro RANAIVONDRAMBOLA | 1 Jul 2009 18:05
Picon
Favicon

RE: pam_pkcs11 source code

Hi everybody,
Now, I have got source code for all these modules below, except pkcs11_module.c which is an example, I guess.
In pam_pkcs11.conf.example is shown an example :

 # Default pkcs11 module
  pkcs11_module default {
    module = /usr/lib/pam_pkcs11/pkcs11_module.so;
    description = "Default pkcs#11 module";
    slot_num = 0;
    ca_dir = /etc/pam_pkcs11/cacerts;
    crl_dir = /etc/pam_pkcs11/crls;
    crl_policy = none;
  }

does pkcs11_module.so exist really in the package ? May I obtain the source code ? I have to write a pkcs11 module and I would like to see an example of it before writting.
N.B : I searched pkcs11_module.so / pkcs11_module.c but I didn't find it anywhere in the package I downloaded from opensc-project.org

Regards,

Aro

Date: Tue, 23 Jun 2009 23:03:32 +0530
From: replysharmi <at> gmail.com
To: pam-list <at> redhat.com
Subject: Re: pam_pkcs11 source code

did you check here, ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/pam_pkcs11-0.5.3-23.src.rpm , http://www.opensc-project.org/files/pam_pkcs11/pam_pkcs11-0.6.1.tar.gz or http://www.opensc-project.org/pam_pkcs11/


On Tue, Jun 23, 2009 at 2:49 PM, Aro RANAIVONDRAMBOLA <razuki <at> hotmail.fr> wrote:
I am student at University of Paris 7.
I work on a smart card authentication project on linux.
Is pam_pkcs11 an opensource module ? May I obtain the source code ( pam_pkcs11.cpp / pam_pkcs11.c and matched source code  : pkcs11_eventmgr.c, pkcs11_inspect.c, pklogin_finder.c/cpp ... )

regards,


Découvrez toutes les possibilités de communication avec vos proches

_______________________________________________
Pam-list mailing list
Pam-list <at> redhat.com
https://www.redhat.com/mailman/listinfo/pam-list


Découvrez toutes les possibilités de communication avec vos proches 
_______________________________________________
Pam-list mailing list
Pam-list <at> redhat.com
https://www.redhat.com/mailman/listinfo/pam-list
Permalink | Reply | 0 comments |
headers
Sean Goller | 10 Jul 2009 20:46
Favicon

pam_exec and PAM_USER

Hi,

                I need to execute a script each time a user logs in, and the script needs the username. I’ve tried any number of things to get the PAM_USER environment variable and it always turns up empty.  I’m using RHEL5, can anyone tell me which section (auth,account, etc) I should put pam_exec in, and how should be accessing it from the script? It’s a bash script so I thought that $PAM_USER would be sufficient. But that never seems to work for me. L

 

-S.

_______________________________________________
Pam-list mailing list
Pam-list <at> redhat.com
https://www.redhat.com/mailman/listinfo/pam-list
Permalink | Reply | 0 comments |
headers
Chris | 15 Jul 2009 16:28

pam-abl new maintainer

For anyone who has been using the pam-abl automatic blacklisting module,
you may like to know that I'm maintaining it now at
http://pam-abl.deksai.com.

I've been using it at work (an ISP), and making changes.  I figured I might as
well maintain it too, since Andy was looking for someone.

I'll be adding a few of the things we've done into the available tarball over time (after proving they work
and are useful by subjecting our customers to them ;-), but would certainly also welcome comments and suggestions.

Thanks,
Chris
Permalink | Reply | 0 comments |
headers
Terry | 15 Jul 2009 17:48
Picon

pam/winbind user not found problem

Hello,

Sorry for the generic subject. I am not sure how to classify the
problem more accurately.

I am running pam-0.99.6.2-4.el5 on RHEL 5.3.  I have an application
that uses pam.  Out of the box, it has this configuration file in
/etc/pam.d:
#%PAM-1.0
auth       include      system-auth
account    include      system-auth
password   include      system-auth

My system auth contains this:
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_winbind.so use_first_pass
auth        required      pam_deny.so
account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
account     required      pam_permit.so
password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password    sufficient    pam_winbind.so use_authtok
password    required      pam_deny.so
session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session     required      pam_unix.so
session     required      pam_mkhomedir.so skel=/etc/skel umask=077

SSH authentication with active directory accounts works just fine.
The usernames are formatted as DOMAIN+username.  However, they do not
work with this application for some reason.  The developer claims that
the formatting shouldn't be a problem with their app so I am double
checking here.   When I try to auth with the application, I get this
in /var/log/secure:

Jul 15 10:40:59 omadvdss01c DS-System[6827]: pam_unix(dssystem:auth):
check pass; user unknown
Jul 15 10:40:59 omadvdss01c DS-System[6827]: pam_unix(dssystem:auth):
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Jul 15 10:40:59 omadvdss01c DS-System[6827]:
pam_succeed_if(dssystem:auth): error retrieving information about user
DOMAIN+username

Just to prove I can see that user, here is a 'getent passwd':
DOMAIN+username:*:15000:15019:User Name:/home/DOMAIN/username:/bin/bash

Any ideas?
Permalink | Reply | 16 comments |
headers
Landon M. Kelsey, III | 15 Jul 2009 18:29
Picon
Favicon

RE: pam/winbind user not found problem

What is the best starter documentation on pam?
Save me a web search!

-----Original Message-----
From: pam-list-bounces <at> redhat.com [mailto:pam-list-bounces <at> redhat.com] On
Behalf Of Terry
Sent: Wednesday, July 15, 2009 10:49 AM
To: pam-list <at> redhat.com
Subject: pam/winbind user not found problem

Hello,

Sorry for the generic subject. I am not sure how to classify the
problem more accurately.

I am running pam-0.99.6.2-4.el5 on RHEL 5.3.  I have an application
that uses pam.  Out of the box, it has this configuration file in
/etc/pam.d:
#%PAM-1.0
auth       include      system-auth
account    include      system-auth
password   include      system-auth

My system auth contains this:
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_winbind.so use_first_pass
auth        required      pam_deny.so
account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
account     required      pam_permit.so
password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password    sufficient    pam_winbind.so use_authtok
password    required      pam_deny.so
session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session     required      pam_unix.so
session     required      pam_mkhomedir.so skel=/etc/skel umask=077

SSH authentication with active directory accounts works just fine.
The usernames are formatted as DOMAIN+username.  However, they do not
work with this application for some reason.  The developer claims that
the formatting shouldn't be a problem with their app so I am double
checking here.   When I try to auth with the application, I get this
in /var/log/secure:

Jul 15 10:40:59 omadvdss01c DS-System[6827]: pam_unix(dssystem:auth):
check pass; user unknown
Jul 15 10:40:59 omadvdss01c DS-System[6827]: pam_unix(dssystem:auth):
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
Jul 15 10:40:59 omadvdss01c DS-System[6827]:
pam_succeed_if(dssystem:auth): error retrieving information about user
DOMAIN+username

Just to prove I can see that user, here is a 'getent passwd':
DOMAIN+username:*:15000:15019:User Name:/home/DOMAIN/username:/bin/bash

Any ideas?

_______________________________________________
Pam-list mailing list
Pam-list <at> redhat.com
https://www.redhat.com/mailman/listinfo/pam-list
Permalink | Reply | 15 comments |
headers
Terry | 15 Jul 2009 18:43
Picon

Re: pam/winbind user not found problem

On Wed, Jul 15, 2009 at 11:29 AM, Landon M. Kelsey,
III<landonmkelsey <at> hotmail.com> wrote:
> What is the best starter documentation on pam?
> Save me a web search!
>
> -----Original Message-----
> From: pam-list-bounces <at> redhat.com [mailto:pam-list-bounces <at> redhat.com] On
> Behalf Of Terry
> Sent: Wednesday, July 15, 2009 10:49 AM
> To: pam-list <at> redhat.com
> Subject: pam/winbind user not found problem
>
> Hello,
>
> Sorry for the generic subject. I am not sure how to classify the
> problem more accurately.
>
> I am running pam-0.99.6.2-4.el5 on RHEL 5.3.  I have an application
> that uses pam.  Out of the box, it has this configuration file in
> /etc/pam.d:
> #%PAM-1.0
> auth       include      system-auth
> account    include      system-auth
> password   include      system-auth
>
> My system auth contains this:
> auth        required      pam_env.so
> auth        sufficient    pam_unix.so nullok try_first_pass
> auth        requisite     pam_succeed_if.so uid >= 500 quiet
> auth        sufficient    pam_winbind.so use_first_pass
> auth        required      pam_deny.so
> account     required      pam_unix.so broken_shadow
> account     sufficient    pam_localuser.so
> account     sufficient    pam_succeed_if.so uid < 500 quiet
> account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
> account     required      pam_permit.so
> password    requisite     pam_cracklib.so try_first_pass retry=3
> password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
> use_authtok
> password    sufficient    pam_winbind.so use_authtok
> password    required      pam_deny.so
> session     optional      pam_keyinit.so revoke
> session     required      pam_limits.so
> session     [success=1 default=ignore] pam_succeed_if.so service in
> crond quiet use_uid
> session     required      pam_unix.so
> session     required      pam_mkhomedir.so skel=/etc/skel umask=077
>
> SSH authentication with active directory accounts works just fine.
> The usernames are formatted as DOMAIN+username.  However, they do not
> work with this application for some reason.  The developer claims that
> the formatting shouldn't be a problem with their app so I am double
> checking here.   When I try to auth with the application, I get this
> in /var/log/secure:
>
> Jul 15 10:40:59 omadvdss01c DS-System[6827]: pam_unix(dssystem:auth):
> check pass; user unknown
> Jul 15 10:40:59 omadvdss01c DS-System[6827]: pam_unix(dssystem:auth):
> authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
> Jul 15 10:40:59 omadvdss01c DS-System[6827]:
> pam_succeed_if(dssystem:auth): error retrieving information about user
> DOMAIN+username
>
> Just to prove I can see that user, here is a 'getent passwd':
> DOMAIN+username:*:15000:15019:User Name:/home/DOMAIN/username:/bin/bash
>
> Any ideas?

Here's a start:

http://tinyurl.com/kvd639
Permalink | Reply | 0 comments |
headers
Gary Greene | 15 Jul 2009 19:01

Re: pam/winbind user not found problem

On 7/15/09 9:29 AM, "Landon M. Kelsey, III" <landonmkelsey <at> hotmail.com>
wrote:
> What is the best starter documentation on pam?
> Save me a web search!
> 
> -----Original Message-----
> From: pam-list-bounces <at> redhat.com [mailto:pam-list-bounces <at> redhat.com] On
> Behalf Of Terry
> Sent: Wednesday, July 15, 2009 10:49 AM
> To: pam-list <at> redhat.com
> Subject: pam/winbind user not found problem
> 
> Hello,
> 
> Sorry for the generic subject. I am not sure how to classify the
> problem more accurately.
> 
> I am running pam-0.99.6.2-4.el5 on RHEL 5.3.  I have an application
> that uses pam.  Out of the box, it has this configuration file in
> /etc/pam.d:
> #%PAM-1.0
> auth       include      system-auth
> account    include      system-auth
> password   include      system-auth
> 
> My system auth contains this:
> auth        required      pam_env.so
> auth        sufficient    pam_unix.so nullok try_first_pass
> auth        requisite     pam_succeed_if.so uid >= 500 quiet
> auth        sufficient    pam_winbind.so use_first_pass
> auth        required      pam_deny.so
> account     required      pam_unix.so broken_shadow
> account     sufficient    pam_localuser.so
> account     sufficient    pam_succeed_if.so uid < 500 quiet
> account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
> account     required      pam_permit.so
> password    requisite     pam_cracklib.so try_first_pass retry=3
> password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
> use_authtok
> password    sufficient    pam_winbind.so use_authtok
> password    required      pam_deny.so
> session     optional      pam_keyinit.so revoke
> session     required      pam_limits.so
> session     [success=1 default=ignore] pam_succeed_if.so service in
> crond quiet use_uid
> session     required      pam_unix.so
> session     required      pam_mkhomedir.so skel=/etc/skel umask=077
> 
> SSH authentication with active directory accounts works just fine.
> The usernames are formatted as DOMAIN+username.  However, they do not
> work with this application for some reason.  The developer claims that
> the formatting shouldn't be a problem with their app so I am double
> checking here.   When I try to auth with the application, I get this
> in /var/log/secure:
> 
> Jul 15 10:40:59 omadvdss01c DS-System[6827]: pam_unix(dssystem:auth):
> check pass; user unknown
> Jul 15 10:40:59 omadvdss01c DS-System[6827]: pam_unix(dssystem:auth):
> authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
> Jul 15 10:40:59 omadvdss01c DS-System[6827]:
> pam_succeed_if(dssystem:auth): error retrieving information about user
> DOMAIN+username
> 
> Just to prove I can see that user, here is a 'getent passwd':
> DOMAIN+username:*:15000:15019:User Name:/home/DOMAIN/username:/bin/bash
> 
> Any ideas?
> 
> _______________________________________________
> Pam-list mailing list
> Pam-list <at> redhat.com
> https://www.redhat.com/mailman/listinfo/pam-list
> 
> _______________________________________________
> Pam-list mailing list
> Pam-list <at> redhat.com
> https://www.redhat.com/mailman/listinfo/pam-list

You haven't got nscd running have you? If you do, turn it off. It causes
weird auth issues with Winbind.

--

-- 
Gary L. Greene, Jr.
==========================================================================
Developer and Project Lead for the AltimatOS open source project
Volunteer Developer for the KDE open source project
See http://www.altimatos.com/ and http://www.kde.org/ for more information
==========================================================================

Please avoid sending me Word or PowerPoint attachments.
Permalink | Reply | 13 comments |
headers
Terry | 15 Jul 2009 19:04
Picon

Re: pam/winbind user not found problem

On Wed, Jul 15, 2009 at 12:01 PM, Gary Greene<greeneg <at> tolharadys.net> wrote:
> On 7/15/09 9:29 AM, "Landon M. Kelsey, III" <landonmkelsey <at> hotmail.com>
> wrote:
>> What is the best starter documentation on pam?
>> Save me a web search!
>>
>> -----Original Message-----
>> From: pam-list-bounces <at> redhat.com [mailto:pam-list-bounces <at> redhat.com] On
>> Behalf Of Terry
>> Sent: Wednesday, July 15, 2009 10:49 AM
>> To: pam-list <at> redhat.com
>> Subject: pam/winbind user not found problem
>>
>> Hello,
>>
>> Sorry for the generic subject. I am not sure how to classify the
>> problem more accurately.
>>
>> I am running pam-0.99.6.2-4.el5 on RHEL 5.3.  I have an application
>> that uses pam.  Out of the box, it has this configuration file in
>> /etc/pam.d:
>> #%PAM-1.0
>> auth       include      system-auth
>> account    include      system-auth
>> password   include      system-auth
>>
>> My system auth contains this:
>> auth        required      pam_env.so
>> auth        sufficient    pam_unix.so nullok try_first_pass
>> auth        requisite     pam_succeed_if.so uid >= 500 quiet
>> auth        sufficient    pam_winbind.so use_first_pass
>> auth        required      pam_deny.so
>> account     required      pam_unix.so broken_shadow
>> account     sufficient    pam_localuser.so
>> account     sufficient    pam_succeed_if.so uid < 500 quiet
>> account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
>> account     required      pam_permit.so
>> password    requisite     pam_cracklib.so try_first_pass retry=3
>> password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
>> use_authtok
>> password    sufficient    pam_winbind.so use_authtok
>> password    required      pam_deny.so
>> session     optional      pam_keyinit.so revoke
>> session     required      pam_limits.so
>> session     [success=1 default=ignore] pam_succeed_if.so service in
>> crond quiet use_uid
>> session     required      pam_unix.so
>> session     required      pam_mkhomedir.so skel=/etc/skel umask=077
>>
>> SSH authentication with active directory accounts works just fine.
>> The usernames are formatted as DOMAIN+username.  However, they do not
>> work with this application for some reason.  The developer claims that
>> the formatting shouldn't be a problem with their app so I am double
>> checking here.   When I try to auth with the application, I get this
>> in /var/log/secure:
>>
>> Jul 15 10:40:59 omadvdss01c DS-System[6827]: pam_unix(dssystem:auth):
>> check pass; user unknown
>> Jul 15 10:40:59 omadvdss01c DS-System[6827]: pam_unix(dssystem:auth):
>> authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
>> Jul 15 10:40:59 omadvdss01c DS-System[6827]:
>> pam_succeed_if(dssystem:auth): error retrieving information about user
>> DOMAIN+username
>>
>> Just to prove I can see that user, here is a 'getent passwd':
>> DOMAIN+username:*:15000:15019:User Name:/home/DOMAIN/username:/bin/bash
>>
>> Any ideas?
>>
>> _______________________________________________
>> Pam-list mailing list
>> Pam-list <at> redhat.com
>> https://www.redhat.com/mailman/listinfo/pam-list
>>
>> _______________________________________________
>> Pam-list mailing list
>> Pam-list <at> redhat.com
>> https://www.redhat.com/mailman/listinfo/pam-list
>
> You haven't got nscd running have you? If you do, turn it off. It causes
> weird auth issues with Winbind.

Thanks for the response. No, I disable it.
Permalink | Reply | 2 comments |
headers
Terry | 15 Jul 2009 20:10
Picon

Re: pam/winbind user not found problem

On Wed, Jul 15, 2009 at 12:04 PM, Terry<td3201 <at> gmail.com> wrote:
> On Wed, Jul 15, 2009 at 12:01 PM, Gary Greene<greeneg <at> tolharadys.net> wrote:
>> On 7/15/09 9:29 AM, "Landon M. Kelsey, III" <landonmkelsey <at> hotmail.com>
>> wrote:
>>> What is the best starter documentation on pam?
>>> Save me a web search!
>>>
>>> -----Original Message-----
>>> From: pam-list-bounces <at> redhat.com [mailto:pam-list-bounces <at> redhat.com] On
>>> Behalf Of Terry
>>> Sent: Wednesday, July 15, 2009 10:49 AM
>>> To: pam-list <at> redhat.com
>>> Subject: pam/winbind user not found problem
>>>
>>> Hello,
>>>
>>> Sorry for the generic subject. I am not sure how to classify the
>>> problem more accurately.
>>>
>>> I am running pam-0.99.6.2-4.el5 on RHEL 5.3.  I have an application
>>> that uses pam.  Out of the box, it has this configuration file in
>>> /etc/pam.d:
>>> #%PAM-1.0
>>> auth       include      system-auth
>>> account    include      system-auth
>>> password   include      system-auth
>>>
>>> My system auth contains this:
>>> auth        required      pam_env.so
>>> auth        sufficient    pam_unix.so nullok try_first_pass
>>> auth        requisite     pam_succeed_if.so uid >= 500 quiet
>>> auth        sufficient    pam_winbind.so use_first_pass
>>> auth        required      pam_deny.so
>>> account     required      pam_unix.so broken_shadow
>>> account     sufficient    pam_localuser.so
>>> account     sufficient    pam_succeed_if.so uid < 500 quiet
>>> account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
>>> account     required      pam_permit.so
>>> password    requisite     pam_cracklib.so try_first_pass retry=3
>>> password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
>>> use_authtok
>>> password    sufficient    pam_winbind.so use_authtok
>>> password    required      pam_deny.so
>>> session     optional      pam_keyinit.so revoke
>>> session     required      pam_limits.so
>>> session     [success=1 default=ignore] pam_succeed_if.so service in
>>> crond quiet use_uid
>>> session     required      pam_unix.so
>>> session     required      pam_mkhomedir.so skel=/etc/skel umask=077
>>>
>>> SSH authentication with active directory accounts works just fine.
>>> The usernames are formatted as DOMAIN+username.  However, they do not
>>> work with this application for some reason.  The developer claims that
>>> the formatting shouldn't be a problem with their app so I am double
>>> checking here.   When I try to auth with the application, I get this
>>> in /var/log/secure:
>>>
>>> Jul 15 10:40:59 omadvdss01c DS-System[6827]: pam_unix(dssystem:auth):
>>> check pass; user unknown
>>> Jul 15 10:40:59 omadvdss01c DS-System[6827]: pam_unix(dssystem:auth):
>>> authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
>>> Jul 15 10:40:59 omadvdss01c DS-System[6827]:
>>> pam_succeed_if(dssystem:auth): error retrieving information about user
>>> DOMAIN+username
>>>
>>> Just to prove I can see that user, here is a 'getent passwd':
>>> DOMAIN+username:*:15000:15019:User Name:/home/DOMAIN/username:/bin/bash
>>>
>>> Any ideas?
>>>
>>> _______________________________________________
>>> Pam-list mailing list
>>> Pam-list <at> redhat.com
>>> https://www.redhat.com/mailman/listinfo/pam-list
>>>
>>> _______________________________________________
>>> Pam-list mailing list
>>> Pam-list <at> redhat.com
>>> https://www.redhat.com/mailman/listinfo/pam-list
>>
>> You haven't got nscd running have you? If you do, turn it off. It causes
>> weird auth issues with Winbind.
>
> Thanks for the response. No, I disable it.
>

I think I found the issue.  It was giving the users because of this:
auth        requisite     pam_succeed_if.so uid >= 500 quiet

I am not sure why either.  This should allow the conversation to
continue if the uid is greater than or equal to 500?  Well, this user
in question has a uid of 15000.  I'm reviewing the docs just to see
what I am missing.
Permalink | Reply | 1 comment |
headers
Les Mikesell | 15 Jul 2009 21:37

Re: pam/winbind user not found problem

Terry wrote:
> 
>>>> auth        requisite     pam_succeed_if.so uid >= 500 quiet
>>
> 
> I think I found the issue.  It was giving the users because of this:
> auth        requisite     pam_succeed_if.so uid >= 500 quiet
> 
> I am not sure why either.  This should allow the conversation to
> continue if the uid is greater than or equal to 500?  Well, this user
> in question has a uid of 15000.  I'm reviewing the docs just to see
> what I am missing.

How is it supposed to know the uid of an account during the 'auth' phase 
if it is looking anywhere but a passwd file?  I think I've run into a 
similar problem using smb authentication for a web app with no account 
requirement and ended up removing that.

--

-- 
   Les Mikesell
    lesmikesell <at> gmail.com
Permalink | Reply | 0 comments |

Gmane