Configuring Pam_P11

PAM configuration files are stored in the /etc/pam.d/ directory.

Let us have a look at the common-session configuration file:

$ cat /etc/pamd.d/common-auth

This displays:

$ # here are the per-package modules (the "Primary" block)
auth [success=1 default=ignore] pam_unix.so nullok_secure
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# end of pam-auth-update config

As of pam 1.0.1-6, this file is managed by pam-auth-update by default.

To take advantage of this, it is recommended that you configure any local modules either before or after the default block, and use pam-auth-update to manage selection of other modules.

pam-config mechanism stores templates in /usr/share/pam-configs.

Let us explore this directory:

$ ls /usr/share/pam-configs

consolekit gnome-keyring unix

Now we simply create a template for pam_p11 login.
Create an empty file /usr/share/pam-configs/p11 and add:

Name: Pam_p11
Default: yes
Priority: 800
Auth-Type: Primary
Auth: sufficient pam_p11_openssh.so /usr/lib/opensc-pkcs11.so

To regenerate PAM configuration files, we need to execute:

$ pam-auth-update

A Debian configuration dialog is displayed:

Make sure 'Unix authentication' is enabled, otherwise there is a risk to lose the ability to connect using passwords.

Enable 'libpam-p11' and disable 'libpam-pkcs11' to avoid a separate access system using smart cards.

Let us have a look at the common-session configuration file:

$ cat /etc/pam.d/common-auth

This displays:

$ here are the per-package modules (the "Primary" block)
auth sufficient pam_p11_openssh.so /usr/lib/opensc-pkcs11.so
auth [success=1 default=ignore] pam_unix.so nullok_secure try_first_pass
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config

Notice the line:

auth sufficient pam_p11_openssh.so /usr/lib/opensc-pkcs11.so

auth [success=1 default=ignore] pam_unix.so nullok_secure try_first_pass

Bookmark/Search this post with

Learn how to buy without VAT. Read our shipping policies. Validate your account using SMS to allow shipping small items at low price.

Feitian PKI: 12.90€

Buy the FEITIAN PKI card for only 12.90€. We ship to any European-Union country starting from 0.90 €. Learn more ...

Feitian ePass PKI token: 34.90€

Discover the best token for GNU/Linux, Mac OS X and Windows. Full support from OpenSC free software solutions, no proprietary driver needed.

PIN code security.
RSA keys up to 2048bit.
Standard X.509 v3 certificates.
On-board RSA DES 3DES SHA1.
Both PKCS#11 and MS-CAPI.
64K user space.
Compatible with: Iceweasel, Firefox, Evolution, Seahorse, OpenSSL, OpenSSH, PAM P11 and PAM PKCS11 authentication modules, Strongswan, Putty CAC, WinSCP, LoopAES, Truecrypt, etc...
Tested with online CAs like CaCert.org and StartSSL.

Buy the FEITIAN ePass PKI token for only 34.90€ ... 30 day satisfied or cash back.

Fast delivery
Order placed on GOOZE before 15:00 are shipped the same day. Orders placed after 15:00 are shipped next business day.

Apply for a free FEITIAN PKI card

GOOZE and FEITIAN are happy to donate 20 Feitian PKI cards to Free Software projects. If your project meets certain criteria, please apply for a free card.

Translating GOOZE

GOOZE is being translated into French. Thank you for your patience!

Configuring Pam_P11

Catalog

My account

Upcoming events

Feitian PKI: 12.90€

Feitian ePass PKI token: 34.90€

Apply for a free FEITIAN PKI card

Translating GOOZE