GitHub - msalle/pam_myproxy: pam module to obtain a proxy delegation from a myproxy store. Actual authentication needs to be done by another pam module

1 Branch 0 Tags

Name	Name	Last commit message	Last commit date
Latest commit msalle Fix NULL pointer strdups. Jul 12, 2012 0cc2554 · Jul 12, 2012 History 9 Commits
LICENSE	LICENSE	Major update: now fully functional, adding LICENSE and README	Jun 22, 2012
Makefile.am	Makefile.am	Major update: now fully functional, also adding LICENSE and README	Jun 22, 2012
README	README	Reworked internal structure, to allow other PAM stacks.	Jul 12, 2012
bootstrap	bootstrap	Initial checkin for PAM MyProxy module	Jun 18, 2012
configure.ac	configure.ac	Major update: now fully functional, also adding LICENSE and README	Jun 22, 2012
myproxy_client.c	myproxy_client.c	Numerous improvements and bugfixes:	Jun 29, 2012
myproxy_client.h	myproxy_client.h	Major update: now fully functional, also adding LICENSE and README	Jun 22, 2012
pam_myproxy.c	pam_myproxy.c	Fix NULL pointer strdups.	Jul 12, 2012
pam_myproxy.h	pam_myproxy.h	Reworked internal structure, to allow other PAM stacks.	Jul 12, 2012
pam_myproxy_opts.c	pam_myproxy_opts.c	Numerous improvements and bugfixes:	Jun 29, 2012
testclient.c	testclient.c	Numerous improvements and bugfixes:	Jun 29, 2012

Repository files navigation

This software is designed for GNU/Linux with glibc 2.1 or later.

Summary:      PAM module to obtain a proxy delegation from a myproxy store.
Author:       Mischa Sall\'e, msalle (at) nikhef (dot) nl
License:      Apache 2
Dependencies: OpenSSL

Description:  Provides a PAM module that can obtain a proxy delegation from a
              MyProxy service. The user should store his credentials using
              his/her DN as username and a password. The PAM module will ask for
              the MyProxy password and either store a proxy delegation plus
              private key in memory for a next PAM module, or write it to disk
              as PEM file.
              This PEM file can be used to do actual authentication via e.g.
              LCMAPS with the planned pam_lcmapsd module.
              Currently implemented interfaces are:
                pam_sm_authenticate     - retrieves proxy from MyProxy using DN
                                          (username) and password
                pam_sm_acct_mgmt        - idem
                pam_sm_setcred          - sets filename as X509_USER_PROXY in
                                          user environment or removes file and
                                          corresponding data and env variable
                pam_sm_open_session     - sets filename in user environment
                pam_sm_close_session    - removes file and corresponding data
                                          and env variable X509_USER_PROXY
              Options can be given either on the pam commandline or in a config
              file which can be specified on the pam commandline.
              Valid options:
                config      - only on commandline: specifies path of config file
                capath      - as understood by openssl
                cafile      - idem
                hostcert    - idem (corresponding to clientcert)
                hostkey     - idem
                myproxyhost - MyProxy service hostaddress
                myproxyport - MyProxy service port (default 7512)
                proxyfmt    - formatstring for proxy filename, a %d is
                              replaced by the active username, it should end
                              with XXXXXX following mkstemp()
                              (default /tmp/x509up_XXXXXX)
                writeproxy  - 0 don't write proxy, non-zero write proxy
                              (default 1)
                lifetime    - proxy lifetime in seconds (should be less than 1
                              billion, default 43200L)
                keysize     - bitsize of keys (default 2048)
                intern_env  - whether to use the pam environment to pass data
                              from pam_sm_authenticate or pam_sm_account to
                              pam_sm_setcred or pam_sm_open_session. This is
                              needed for use with OpenSSH (default 1, i.e. yes).

Example:      E.g.:
                auth     optional     pam_myproxy.so config=/etc/security/pam_myproxy.conf myproxyhost=px.grid.sara.nl

Notes:        Actual authentication needs to be done by another pam module.