CA Web Helper Project
DarkSoft News DarkSoft Projects
Intro ----- This module provides password-less login authentication on local consoles based on X509 certificates and private keys stored on some personal data holders like USB Sticks, Bluetooth mobile phones and etc... Currently supported two methods of authentication: 1. To provide user certificate and private key in some auto-mountable location using supermount or automount. It can be usb stick, floppy disk, CD disk, SD card or may be more exotic device. 2. To provide user certificate and private key truth rfcomm bluetooth connection. Why --- I'm to lazy to remember passwords. Ok if You are loged there no problems, you can use ssh keys, you can use x509 authentication with telnet, ftp, http. Even you can use different programms which will cache password for You. This module eleminates last place you require your password. Requirements ------------ 1. PAM 2. OpenSSL For bluetooth support: 3. Bluez 4. OpenObex 5. OpexFTP All this software can be found on sourceforge! Arguments --------- ca_dir= - Directory with trusted Certificate Authority certificates ca_file= - File with trusted Certficate Authority certificate chain (/opt/ssl/ca/chain.crt by default) crl_dir= - Directory with revocation lists (/opt/ssl/crl/ by default) crl_file= - File with revocation lists key_dir= - Automountable directory containig user private keys and certificates bluetooth - Enable bluetooth authentication (Slow) Configuration Files ------------------- /etc/x509.securetty - List of consoles password-less authentication permited for. Simmiliar to standard /etc/securetty. /etc/x509.config - X509 authentication configuration. Authentication code was taken from bsdftpd-ssl and file have same configuration like bsdftpd-ssl /etc/x509.users file. For format docs please look in bsdftpd folder with original documentation. /var/spool/x509/ - Temporary folder required for bluetooth authentication. Group and Others must not have any permissions on it. Notes ----- 1. Encrypted private keys also supported. In this case will be used standard password dialog. 2. It's possible to autodetect user name, just press enter then promted for user name. But this is not supported by mingetty. Just use agetty with "-n" option. Or (better) use my patch for mingetty (available in patches directory). Compilation ----------- Set it Makefile "bt=yes" to permit bluetooth authentication, disabled by default. You can edit some default paths in "sslauth.h" header file. Installation ------------ Create /etc/x509.securetty, /etc/x509.config files and /var/spool/x509 directory. Then copy pam_x509.so in /lib/security. And finally insert appopriate line in /etc/pam.d/login (Do not put it in system-auth!!!) Related Projects ---------------- You can also look on "Certificate Authority Web Helper" (http://sourceforge.net/projects/cawh/) project. Intended to help mantain your certificate authority. Configuration Examples ---------------------- 1. /etc/x509.config ---- File Start ----- /CN:-r ---- File End ------- In this case user provided valid, not expired and not revoked certificate will be able to login under user name corresponded to commonName specified in his certificate. 2. /etc/x509.securetty Can be linked to /etc/securetty to permit logins on same consoles as for root user. 3. /etc/pam.d/x509-auth ---- File Start ----- auth required /lib/security/pam_env.so auth sufficient /root/3/pam_x509/pam_x509.so auth required /lib/security/pam_deny.so ---- File End ------- And afterwards you must add to /etc/pam.d/login following line auth sufficient /lib/security/pam_stack.so service=x509-auth in my Mandrake Linux 9.1 all file looks like this: ---- File Start ----- auth required /lib/security/pam_securetty.so auth required /lib/security/pam_nologin.so auth sufficient /lib/security/pam_stack.so service=x509-auth auth required /lib/security/pam_stack.so service=system-auth account required /lib/security/pam_stack.so service=system-auth password required /lib/security/pam_stack.so service=system-auth session required /lib/security/pam_stack.so service=system-auth session optional /lib/security/pam_console.so ---- File End ------- In this case system try to authorize user with x509 certificate and private key pair. If it fails user promted for password and standard authentication used. Note ---- This module also can be used not to simplify user's life but for stronger deffence. For example you can require from users to present their certificate/key pair and then ask for password. 4. /etc/fstab ---- File Start ----- none /mnt/auth supermount dev=/dev/sda,fs=vfat,ro,--,iocharset=utf8,umask=0777 0 0 ---- File End ------- This string provides automounting support for USB Sticks. Some comments. /mnt/auth - Default location module checks for certificates and private keys dev=/dev/sda - I haven't SCSI devices on this PC. So my USB Stick reckognized as /dev/sda. umask=0777 - It's very important!!! This location must not be seen by other users!!! SECURITY NOTE ------------- You can want to have certificates and keys not in root directory but in some subdirectories, for example /mnt/auth/mycerts. Don't do it!!! It's very insecure. For example if you hold your keys on server in directory /home/me/secinfo and very evil hacker know about it. He can make mycerts to link on /home/me/secinfo and successfully login under your credentials. 5. Ok. now you must put your certificate and key on your usb stick in root directory with names "