/pam_myproxy

pam module to obtain a proxy delegation from a myproxy store. Actual authentication needs to be done by another pam module

Primary LanguageCApache License 2.0Apache-2.0

This software is designed for GNU/Linux with glibc 2.1 or later.

Summary:      PAM module to obtain a proxy delegation from a myproxy store.
Author:       Mischa Sall\'e, msalle (at) nikhef (dot) nl
License:      Apache 2
Dependencies: OpenSSL

Description:  Provides a PAM module that can obtain a proxy delegation from a
              MyProxy service. The user should store his credentials using
              his/her DN as username and a password. The PAM module will ask for
              the MyProxy password and either store a proxy delegation plus
              private key in memory for a next PAM module, or write it to disk
              as PEM file.
              This PEM file can be used to do actual authentication via e.g.
              LCMAPS with the planned pam_lcmapsd module.
              Currently implemented interfaces are:
                pam_sm_authenticate     - retrieves proxy from MyProxy using DN
                                          (username) and password
                pam_sm_acct_mgmt        - idem
                pam_sm_setcred          - sets filename as X509_USER_PROXY in
                                          user environment or removes file and
                                          corresponding data and env variable
                pam_sm_open_session     - sets filename in user environment
                pam_sm_close_session    - removes file and corresponding data
                                          and env variable X509_USER_PROXY
              Options can be given either on the pam commandline or in a config
              file which can be specified on the pam commandline.
              Valid options:
                config      - only on commandline: specifies path of config file
                capath      - as understood by openssl
                cafile      - idem
                hostcert    - idem (corresponding to clientcert)
                hostkey     - idem
                myproxyhost - MyProxy service hostaddress
                myproxyport - MyProxy service port (default 7512)
                proxyfmt    - formatstring for proxy filename, a %d is
                              replaced by the active username, it should end
                              with XXXXXX following mkstemp()
                              (default /tmp/x509up_XXXXXX)
                writeproxy  - 0 don't write proxy, non-zero write proxy
                              (default 1)
                lifetime    - proxy lifetime in seconds (should be less than 1
                              billion, default 43200L)
                keysize     - bitsize of keys (default 2048)
                intern_env  - whether to use the pam environment to pass data
                              from pam_sm_authenticate or pam_sm_account to
                              pam_sm_setcred or pam_sm_open_session. This is
                              needed for use with OpenSSH (default 1, i.e. yes).

Example:      E.g.:
                auth     optional     pam_myproxy.so config=/etc/security/pam_myproxy.conf myproxyhost=px.grid.sara.nl

Notes:        Actual authentication needs to be done by another pam module.