From f88c608e75b9c886efd15317feae806fa620346b Mon Sep 17 00:00:00 2001 From: Kalev Lember Date: Feb 19 2020 07:39:27 +0000 Subject: Blocked in koji since Fedora 25 --- diff --git a/.gitignore b/.gitignore deleted file mode 100644 index e34e60f..0000000 --- a/.gitignore +++ /dev/null @@ -1,3 +0,0 @@ -pam_pkcs11-0.6.2.tar.gz -/pam_pkcs11-0.6.8-63451e9.tar.gz -/pam_pkcs11-0.6.8-1cbb55e.tar.gz diff --git a/dead.package b/dead.package new file mode 100644 index 0000000..595431f --- /dev/null +++ b/dead.package @@ -0,0 +1 @@ +Blocked in koji since Fedora 25 diff --git a/pam_pkcs11-0.6.2-login_required.patch b/pam_pkcs11-0.6.2-login_required.patch deleted file mode 100644 index c8c8963..0000000 --- a/pam_pkcs11-0.6.2-login_required.patch +++ /dev/null @@ -1,20 +0,0 @@ -diff -up ./src/common/pkcs11_lib.c.login_required ./src/common/pkcs11_lib.c ---- ./src/common/pkcs11_lib.c.login_required 2010-03-18 17:45:38.091458000 -0700 -+++ ./src/common/pkcs11_lib.c 2010-03-18 17:48:24.498131000 -0700 -@@ -662,6 +662,16 @@ int pkcs11_login(pkcs11_handle_t *h, cha - return (rv == SECSuccess) ? 0 : -1; - } - -+int get_slot_login_required(pkcs11_handle_t *h) -+{ -+ if (h->slot == NULL) { -+ DBG("Login failed: No Slot selected"); -+ return -1; -+ } -+ -+ return PK11_NeedLogin(h->slot); -+} -+ - int close_pkcs11_session(pkcs11_handle_t *h) - { - if (h->slot) { diff --git a/pam_pkcs11-0.6.2-pcsc-lite.patch b/pam_pkcs11-0.6.2-pcsc-lite.patch deleted file mode 100644 index 990c6c2..0000000 --- a/pam_pkcs11-0.6.2-pcsc-lite.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up ./src/tools/card_eventmgr.c.pcsc-lite ./src/tools/card_eventmgr.c ---- ./src/tools/card_eventmgr.c.pcsc-lite 2009-09-02 05:32:55.000000000 -0700 -+++ ./src/tools/card_eventmgr.c 2010-09-09 09:43:29.178974000 -0700 -@@ -311,7 +311,7 @@ static void signal_trap(int sig) - int main(int argc, char *argv[]) { - int current_reader; - LONG rv; -- SCARD_READERSTATE_A *rgReaderStates_t = NULL; -+ SCARD_READERSTATE *rgReaderStates_t = NULL; - DWORD dwReaders, dwReadersOld; - LPSTR mszReaders = NULL; - char *ptr, **readers = NULL; diff --git a/pam_pkcs11-fix-crypto-cflags.patch b/pam_pkcs11-fix-crypto-cflags.patch deleted file mode 100644 index 3230fe6..0000000 --- a/pam_pkcs11-fix-crypto-cflags.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up pam_pkcs11-1cbb55e3d4154715de191a44df76ae92810c8598/configure.ac.fix_crypto_cflags pam_pkcs11-1cbb55e3d4154715de191a44df76ae92810c8598/configure.ac ---- pam_pkcs11-1cbb55e3d4154715de191a44df76ae92810c8598/configure.ac.fix_crypto_cflags 2016-02-05 13:01:17.996106535 -0500 -+++ pam_pkcs11-1cbb55e3d4154715de191a44df76ae92810c8598/configure.ac 2016-02-05 13:01:27.371901228 -0500 -@@ -157,7 +157,7 @@ fi - AM_CONDITIONAL(HAVE_NSS, test x$with_nss = xyes) - if test "$with_nss" = "yes" - then -- CRYPTO_CFLAGS="${NSS_CFLAGS}-DHAVE_NSS" -+ CRYPTO_CFLAGS="${NSS_CFLAGS} -DHAVE_NSS" - CRYPTO_LIBS=${NSS_LIBS} - else - CRYPTO_CFLAGS=${OPENSSL_CFLAGS} diff --git a/pam_pkcs11.spec b/pam_pkcs11.spec deleted file mode 100644 index 8869d7b..0000000 --- a/pam_pkcs11.spec +++ /dev/null @@ -1,374 +0,0 @@ -%global nss_version 3.10 -%global nspr_version 4.6 -%global with_curl 1 -%global with_ldap 1 - -# commit for 0.6.8 -%global commit 1cbb55e3d4154715de191a44df76ae92810c8598 -%global shortcommit %(c=%{commit}; echo ${c:0:7}) - -Name: pam_pkcs11 -Version: 0.6.8 -Release: 8%{?dist} -Summary: PKCS #11/NSS PAM login module -License: LGPLv2+ -URL: https://github.com/OpenSC/pam_pkcs11/ -Source0: https://github.com/OpenSC/pam_pkcs11/archive/%{commit}/%{name}-%{version}-%{shortcommit}.tar.gz -Source1: rh_pam_pkcs11.conf -Source2: rh_pkcs11_eventmgr.conf -Patch0: pam_pkcs11-fix-crypto-cflags.patch - -BuildRequires: pam-devel -%{?with_ldap:BuildRequires: openldap-devel} -%{?with_curl:BuildRequires: curl-devel} -BuildRequires: openssl-devel -BuildRequires: libxslt -BuildRequires: docbook-style-xsl -BuildRequires: nss-devel >= %{nss_version} -BuildRequires: nspr-devel -BuildRequires: pcsc-lite-devel -BuildRequires: pkgconfig -BuildRequires: intltool -BuildRequires: gettext -BuildRequires: autoconf, automake, libtool - -%description -This Linux-PAM login module allows a X.509 certificate based user -authentication. The certificate and its dedicated private key are thereby -accessed by means of an appropriate PKCS #11 module. For the -verification of the users' certificates, locally stored CA -certificates as well as either online or locally accessible CRLs and -OCSP are used. This version uses NSS to validate the Certificates and manage -the PKCS #11 smartCards. -Additional included pam_pkcs11 related tools -- pkcs11_eventmgr: Generate actions on card insert/removal/timeout events -- pklogin_finder: Get the loginname that maps to a certificate -- pkcs11_inspect: Inspect the contents of a certificate - -%prep -%setup -q -n %{name}-%{commit} -%patch0 -p1 -b .fix-crypto-cflags -autoreconf -ifv - -%build - -%if %{with_curl} -%global curl_flags --with-curl=yes -%else -%global curl_flags --with-curl=no -%endif - -%if %{with_ldap} -%global ldap_flags --with-ldap=yes -%else -%global ldap_flags --with-ldap=no -%endif -%configure \ - --with-nss \ - --with-debug \ - --disable-dependency-tracking \ - %{curl_flags} %{ldap_flags} -make CFLAGS="$RPM_OPT_FLAGS -ggdb3" V=1 - -%install -make install DESTDIR=$RPM_BUILD_ROOT -rm -f $RPM_BUILD_ROOT/%{_libdir}/%{name}/*.*a -# -# pam security directory is in /%{_lib} not %{_libdir} -# -mkdir -p $RPM_BUILD_ROOT/%{_lib}/security -install -m 755 $RPM_BUILD_ROOT/%{_libdir}/security/%{name}.so $RPM_BUILD_ROOT/%{_lib}/security -rm -rf $RPM_BUILD_ROOT/%{_libdir}/security -# -# set up config files -# -install -dm 755 $RPM_BUILD_ROOT/%{_sysconfdir}/%{name} -install -m 644 %{SOURCE1} $RPM_BUILD_ROOT/%{_sysconfdir}/%{name}/%{name}.conf -install -m 644 %{SOURCE2} $RPM_BUILD_ROOT/%{_sysconfdir}/%{name}/pkcs11_eventmgr.conf -# -# clean up those files that aren't part of this package -# (makefile should install them if --without-pcsclite is supplied -# -#rm -f $RPM_BUILD_ROOT/%{_bindir}/card_eventmgr -#rm -f $RPM_BUILD_ROOT/%{_mandir}/man1/card_eventmgr.1 -#rm -f $RPM_BUILD_ROOT/%{_datadir}/doc/%{name}/card_eventmgr.conf.example - -# nss version does not need this script -rm -f $RPM_BUILD_ROOT/%{_bindir}/make_hash_link.sh -rm -f $RPM_BUILD_ROOT/%{_mandir}/man1/pkcs11_make_hash_link.1 - -# package the examples in the doc directory directly. -rm -rf $RPM_BUILD_ROOT/%{_docdir}/%{name} - -%find_lang %{name} - -%files -f %{name}.lang -%license COPYING -%doc AUTHORS README TODO ChangeLog NEWS -%doc doc/pam_pkcs11.html -%doc doc/mappers_api.html -%doc doc/README.autologin -%doc doc/README.mappers -%doc etc/*.example -%dir %{_sysconfdir}/%{name}/ -%config(noreplace) %{_sysconfdir}/%{name}/%{name}.conf -%config(noreplace) %{_sysconfdir}/%{name}/pkcs11_eventmgr.conf -%{_bindir}/pkcs11_make_hash_link -%{_bindir}/pkcs11_eventmgr -%{_bindir}/pklogin_finder -%{_bindir}/pkcs11_inspect -%{_bindir}/pkcs11_setup -%{_bindir}/card_eventmgr -%{_bindir}/pkcs11_listcerts -%dir %{_libdir}/%{name} -%{_libdir}/%{name}/*.so -/%{_lib}/security/%{name}.so -%{_mandir}/man8/%{name}.8.gz -%{_mandir}/man1/pkcs11_eventmgr.1.gz -%{_mandir}/man1/pkcs11_inspect.1.gz -%{_mandir}/man1/pkcs11_listcerts.1.gz -%{_mandir}/man1/pkcs11_setup.1.gz -%{_mandir}/man1/pklogin_finder.1.gz -%{_mandir}/man1/card_eventmgr.1.gz - -%changelog -* Fri Feb 5 2016 Tom Callaway - 0.6.8-8 -- fix CRYPTO_CFLAGS - -* Thu Feb 04 2016 Fedora Release Engineering - 0.6.8-7 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild - -* Wed Jul 8 2015 Tom Callaway - 0.6.8-6 -- fix conditionals to actually work -- update to latest 0.6.8 git code - -* Thu Jun 18 2015 Fedora Release Engineering - 0.6.8-5 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild - -* Sat Feb 21 2015 Till Maas - 0.6.8-4 -- Rebuilt for Fedora 23 Change - https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code - -* Sun Aug 17 2014 Fedora Release Engineering - 0.6.8-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild - -* Fri Jun 06 2014 Fedora Release Engineering - 0.6.8-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild - -* Fri Feb 21 2014 Tom Callaway - 0.6.8-1 -- update to 0.6.8 -- cleanup spec file - -* Sat Aug 03 2013 Fedora Release Engineering - 0.6.2-11 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild - -* Thu Feb 14 2013 Fedora Release Engineering - 0.6.2-10 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild - -* Fri Jul 20 2012 Fedora Release Engineering - 0.6.2-9 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild - -* Fri Jan 13 2012 Fedora Release Engineering - 0.6.2-8 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild - -* Thu Feb 10 2011 Bob Relyea - 0.6.2-7 -- Update code to accept new pcsc-lite defines - -* Tue Feb 08 2011 Fedora Release Engineering - 0.6.2-6 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild - -* Sun May 2 2010 Bob Relyea - 0.6.2-5 -- Sigh, ocsp should be off by default - -* Sun May 2 2010 Bob Relyea - 0.6.2-4 -- update config file - -* Fri Mar 19 2010 Bob Relyea - 0.6.2-3 -- fix missing function - -* Tue Jan 5 2010 Bob Relyea - 0.6.2-2 -- Pick up the latest pam_pkcs11 from upstream - -* Tue Jan 5 2010 Bob Relyea - 0.6.2-1 -- Pick up the latest pam_pkcs11 from upstream - -- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild - -* Sat Jul 25 2009 Fedora Release Engineering - 0.5.3-29 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild - -* Thu Feb 26 2009 Fedora Release Engineering - 0.5.3-28 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild - -* Sat Nov 8 2008 Michael Schwendt - 0.5.3-27 -- Include missing directory entries (#233895). - -* Tue Feb 19 2008 Fedora Release Engineering - 0.5.3-26 -- Autorebuild for GCC 4.3 - -* Mon Aug 20 2007 Bob Relyea - 0.5.3-25 -- Update License description to the new Fedora standard - -* Thu Mar 08 2007 Florian La Roche - 0.5.3-24 -- remove empty rpm scripts - -* Fri Oct 13 2006 Jesse Keating - 0.5.3-23 -- turn OCSP off by default - -* Sun Oct 01 2006 Jesse Keating - 0.5.3-22 -- rebuilt for unwind info generation, broken in gcc-4.1.1-21 - -* Mon Sep 18 2006 Robert Relyea 0.5.3-21 -- update password supported patch. -- fix bug where the user and smart card prompt was coming up in login after - the username had been entered. -- use pam_ignore for the case where we always want to drop to the other - pam_modules. -- add environment variables for the certificate used to authenticate. - -* Mon Sep 18 2006 Robert Relyea 0.5.3-20 -- Use pam_syslog rather than syslog (patch by Tmraz). -- Signal to the user that change password is not supported by pam_pkcs11. - -* Thu Sep 14 2006 Robert Relyea 0.5.3-19 -- Fix problem where pin was not being passed in the pam password variable - correctly. Needed for Kerberos PKInit - -* Wed Sep 13 2006 Robert Relyea 0.5.3-18 -- define those apps that we shouldn't login initially with (screen-savers) - -* Tue Sep 12 2006 Robert Relyea 0.5.3-17 -- restrict reauthentication to the token used in the inital login. -- don't require reauthentication apps to log into a token if the user - didn't initally log into the token. -- handle the case where we have more than one token. - -* Thu Sep 7 2006 Robert Relyea 0.5.3-16 -- make sure we have l10n tools for the build itself - -* Fri Sep 1 2006 Robert Relyea 0.5.3-15 -- add l10n support -- correct mapper order. -- login should allow SSL Client Auth certs rather than restricting to Email - Signing certs. - -* Mon Aug 28 2006 Robert Relyea 0.5.3-14 -- use implicit paths to load the PKCS #11 module - -* Mon Aug 28 2006 Tomas Mraz -- pkcs11_setup should respect $LIB in module paths (#204252) - -* Mon Aug 28 2006 Robert Relyea 0.5.3-13 -- Fix the default mapping order. -- Make ocsp support controlled by a config entry. -- Fix login crash -- revert to explicit paths until we can fix 'login' and 'authconfig' - -* Mon Aug 28 2006 Robert Relyea 0.5.3-12 -- use $LIB so the config file works for multi archs on the -- same machine - -* Mon Aug 21 2006 Robert Relyea 0.5.3-11 -- Handle library paths in config file - -* Wed Aug 16 2006 Robert Relyea 0.5.3-10 -- remove sceventd - -* Mon Jul 24 2006 Ray Strode 0.5.3-9 -- compile with better debugging flags - -* Sun Jul 23 2006 Ray Strode 0.5.3-8 -- fix bug where it was ignoring first argument of module - command line - -* Sun Jul 23 2006 Ray Strode 0.5.3-7 -- add new wait_for_card option that stalls auth process - until a card is inserted -- if the user is reauthenticating (already logged in, but - say unlocking the screen) then only treat the token the - user logged in with as a valid authentication token -- clean up "smart card" word. Before we had a mix of - "smartcard", "Smart Card", "SmartCard", and "smart card" - i think. -- only say "Please insert your smart card." instead of - "Please insert your Smart Card or enter username" if - username based login isn't allowed. - -* Thu Jul 20 2006 Robert Relyea 0.5.3-6 -- Include the login token in the environment -- Conditionally turn on OCSP -- Treat uninitialized tokens as not present. - -* Tue Jul 18 2006 Tomas Mraz 0.5.3-5 -- added a simple pkcs11_setup tool - -* Tue Jul 18 2006 Robert Relyea -- Fix memory error in card_only. -- Use the TEXT_INFO field for smart card prompting - -* Mon Jul 17 2006 Jesse Keating 0.5.3-4 -- rebuild - -* Sat Jun 10 2006 Robert Relyea 0.5.3-3 -- Updated to 0.5.3 with card_only and NSS support - -* Thu Apr 20 2006 Robert Relyea < rrelyea at redhat.com > 0:0.5.1.-2.exp -- Added screenlocking helper support - -* Thu Mar 30 2006 Robert Relyea < rrelyea at redhat.com > 0:0.5.1.-1.exp -- Added NSS support. - -* Mon Jan 30 2006 Robert Relyea < rrelyea at redhat.com > 0:0.5.1.-0.demo -- include coolkey support -- added card_only option. - -* Wed Sep 7 2005 Juan Antonio Martinez 0:0.4.4-2 -- New pkcs11_eventmgr app in "tools" package - -* Thu Feb 24 2005 Juan Antonio Martinez 0:0.4.4-1 -- Fix pcsc-lite dependencies - -* Tue Feb 15 2005 Juan Antonio Martinez 0:0.4.4-0 -- Update to 0.4.4b2 - -* Sun Sep 12 2004 Ville Skyttä - 0:0.3b-0.fdr.1 -- Update to 0.3b. -- Disable dependency tracking to speed up the build. - -* Tue May 4 2004 Ville Skyttä - 0:0.3-0.fdr.1 -- Update to 0.3. -- Do not use libcurl by default; rebuild using "--with curl" to use it. - -* Mon Mar 29 2004 Ville Skyttä - 0:0.2-0.fdr.1 -- Update to 0.2. -- Use libcurl by default; rebuild using "--without curl" to disable. - -* Wed Jan 21 2004 Ville Skyttä - 0:0.1-0.fdr.0.2.beta5 -- Add the user_mapping config file. - -* Mon Jan 19 2004 Ville Skyttä - 0:0.1-0.fdr.0.1.beta5 -- First build. diff --git a/rh_pam_pkcs11.conf b/rh_pam_pkcs11.conf deleted file mode 100644 index de9808e..0000000 --- a/rh_pam_pkcs11.conf +++ /dev/null @@ -1,280 +0,0 @@ -# -# Configuration file for pam_pkcs11 module -# -# Version 0.4 -# Author: Juan Antonio Martinez -# -pam_pkcs11 { - # Allow empty passwords - nullok = true; - - # Enable debugging support. - debug = false; - - # If the smart card is inserted, only use it - card_only = true; - - # Do not prompt the user for the passwords but take them from the - # PAM_ items instead. - use_first_pass = false; - - # Do not prompt the user for the passwords unless PAM_(OLD)AUTHTOK - # is unset. - try_first_pass = false; - - # Like try_first_pass, but fail if the new PAM_AUTHTOK has not been - # previously set (intended for stacking password modules only). - use_authtok = false; - - # Filename of the PKCS #11 module. The default value is "default" - use_pkcs11_module = coolkey; - - screen_savers = gnome-screensaver,xscreensaver,kscreensaver - - pkcs11_module coolkey { - module = libcoolkeypk11.so; - description = "Cool Key" - # Slot-number to use. One for the first, two for the second and so - # on. The default value is zero which means to use the first slot - # with an available token. - slot_num = 0; - - # Path to the directory where the CA certificates are stored. The - # directory must contain an openssl hash-link to each certificate. - # The default value is /etc/pam_pkcs11/cacerts. - ca_dir = /etc/pam_pkcs11/cacerts; - nss_dir = /etc/pki/nssdb; - - # Path to the directory where the CRLs are stored. The directory - # must contain an openssl hash-link to each CRL. The default value - # is /etc/pam_pkcs11/crls. - crl_dir = /etc/pam_pkcs11/crls; - - # Sets the Certificate verification policy. - # "none" Performs no verification - # "ca" Does CA check - # "crl_online" Downloads the CRL form the location given by the - # CRL distribution point extension of the certificate - # "crl_offline" Uses the locally stored CRLs - # "crl_auto" Is a combination of online and offline; it first - # tries to download the CRL from a possibly given CRL - # distribution point and if this fails, uses the local - # CRLs - # "ocsp_on" Turn on OCSP. - # "signature" Does also a signature check to ensure that private - # and public key matches - # You can use a combination of ca,crl, and signature flags, or just - # use "none". - cert_policy=ca, signature; - } - - pkcs11_module opensc { - module = opensc-pkcs11.so; - description = "OpenSC PKCS#11 module"; - # Slot-number to use. One for the first, two for the second and so - # on. The default value is zero which means to use the first slot - # with an available token. - slot_num = 0; - - # Path to the directory where the CA certificates are stored. The - # directory must contain an openssl hash-link to each certificate. - # The default value is /etc/pam_pkcs11/cacerts. - ca_dir = /etc/pam_pkcs11/cacerts; - - # Path to the directory where the CRLs are stored. The directory - # must contain an openssl hash-link to each CRL. The default value - # is /etc/pam_pkcs11/crls. - crl_dir = /etc/pam_pkcs11/crls; - - # set the certificate policy - cert_policy=ca, signature; - - } - - # Default pkcs11 module - pkcs11_module default { - module = /usr/$LIB/pam_pkcs11/pkcs11_module.so; - description = "Default pkcs#11 module"; - slot_num = 0; - ca_dir = /etc/pam_pkcs11/cacerts; - crl_dir = /etc/pam_pkcs11/crls; - cert_policy=ca, signature; - } - - # Which mappers ( Cert to login ) to use? - # you can use several mappers: - # - # subject - Cert Subject to login file based mapper - # pwent - CN to getpwent() login or gecos fields mapper - # ldap - LDAP mapper - # opensc - Search certificate in ${HOME}/.eid/authorized_certificates - # openssh - Search certificate public key in ${HOME}/.ssh/authorized_keys - # mail - Compare email fields from certificate - # ms - Use Microsoft Universal Principal Name extension - # krb - Compare againts Kerberos Principal Name - # cn - Compare Common Name (CN) - # uid - Compare Unique Identifier - # digest - Certificate digest to login (mapfile based) mapper - # generic - User defined certificate contents mapped - # null - blind access/deny mapper - # - # You can select a comma-separated mapper list. - # If used null mapper should be the last in the list :-) - # Also you should select at least one mapper, otherwise - # certificate will not match :-) - use_mappers = cn, uid, pwent, null; - - # When no absolute path or module info is provided, use this - # value as module search path - # TODO: - # This is not still functional: use absolute pathnames or LD_LIBRARY_PATH - mapper_search_path = /usr/$LIB/pam_pkcs11; - - # - # Generic certificate contents mapper - mapper generic { - debug = true; - module = /usr/$LIB/pam_pkcs11/generic_mapper.so; - # ignore letter case on match/compare - ignorecase = false; - # Use one of "cn" , "subject" , "kpn" , "email" , "upn" or "uid" - cert_item = cn; - # Define mapfile if needed, else select "none" - mapfile = file:///etc/pam_pkcs11/generic_mapping - # Decide if use getpwent() to map login - use_getpwent = false; - } - - # Certificate Subject to login based mapper - # provided file stores one or more "Subject -> login" lines - mapper subject { - debug = false; - # module = /usr/$LIB/pam_pkcs11/subject_mapper.so; - module = internal; - ignorecase = false; - mapfile = file:///etc/pam_pkcs11/subject_mapping; - } - - # Search public keys from $HOME/.ssh/authorized_keys to match users - mapper openssh { - debug = false; - module = /usr/$LIB/pam_pkcs11/openssh_mapper.so; - } - - # Search certificates from $HOME/.eid/authorized_certificates to match users - mapper opensc { - debug = false; - module = /usr/$LIB/pam_pkcs11/opensc_mapper.so; - } - - # Certificate Common Name ( CN ) to getpwent() mapper - mapper pwent { - debug = false; - ignorecase = false; - module = internal; - # module = /usr/$LIB/pam_pkcs11/pwent_mapper.so; - } - - # Null ( no map ) mapper. when user as finder matchs to NULL or "nobody" - mapper null { - debug = false; - # module = /usr/$LIB/pam_pkcs11/null_mapper.so; - module = internal ; - # select behavior: always match, or always fail - default_match = false; - # on match, select returned user - default_user = nobody ; - } - - # Directory ( ldap style ) mapper - mapper ldap { - debug = false; - module = /usr/$LIB/pam_pkcs11/ldap_mapper.so; - # where base directory resides - basedir = /etc/pam_pkcs11/mapdir; - # hostname of ldap server - ldaphost = "localhost"; - # Port on ldap server to connect - ldapport = 389; - # Scope of search: 0 = x, 1 = y, 2 = z - scope = 2; - # DN to bind with. Must have read-access for user entries under "base" - binddn = "cn=pam,o=example,c=com"; - # Password for above DN - passwd = "test"; - # Searchbase for user entries - base = "ou=People,o=example,c=com"; - # Attribute of user entry which contains the certificate - attribute = "userCertificate"; - # Searchfilter for user entry. Must only let pass user entry for the login user. - filter = "(&(objectClass=posixAccount)(uid=%s))" - } - - # Assume common name (CN) to be the login - mapper cn { - debug = false; - module = internal; - # module = /usr/$LIB/pam_pkcs11/cn_mapper.so; - ignorecase = true; - mapfile = file:///etc/pam_pkcs11/cn_map; - } - - # mail - Compare email field from certificate - mapper mail { - debug = false; - module = internal; - # module = /usr/$LIB/pam_pkcs11/mail_mapper.so; - # Declare mapfile or - # leave empty "" or "none" to use no map - mapfile = file:///etc/pam_pkcs11/mail_mapping; - # Some certs store email in uppercase. take care on this - ignorecase = true; - # Also check that host matches mx domain - # when using mapfile this feature is ignored - ignoredomain = false; - } - - # ms - Use Microsoft Universal Principal Name extension - # UPN is in format login@ADS_Domain. No map is needed, just - # check domain name. - mapper ms { - debug = false; - module = internal; - # module = /usr/$LIB/pam_pkcs11/ms_mapper.so; - ignorecase = false; - ignoredomain = false; - domain = "domain.com"; - } - - # krb - Compare againts Kerberos Principal Name - mapper krb { - debug = false; - module = internal; - # module = /usr/$LIB/pam_pkcs11/krb_mapper.so; - ignorecase = false; - mapfile = "none"; - } - - # uid - Maps Subject Unique Identifier field (if exist) to login - mapper uid { - debug = false; - module = internal; - # module = /usr/$LIB/pam_pkcs11/uid_mapper.so; - ignorecase = false; - mapfile = "none"; - } - - # digest - elaborate certificate digest and map it into a file - mapper digest { - debug = false; - module = internal; - # module = /usr/$LIB/pam_pkcs11/digest_mapper.so; - # algorithm used to evaluate certificate digest - # Select one of: - # "null","md2","md4","md5","sha","sha1","dss","dss1","ripemd160" - algorithm = "sha1"; - mapfile = file:///etc/pam_pkcs11/digest_mapping; - # mapfile = "none"; - } - -} diff --git a/rh_pkcs11_eventmgr.conf b/rh_pkcs11_eventmgr.conf deleted file mode 100644 index 27d6cdc..0000000 --- a/rh_pkcs11_eventmgr.conf +++ /dev/null @@ -1,52 +0,0 @@ -# Sample pkcs11_eventmgr configuration file -# -pkcs11_eventmgr { - - # Run in background? Implies debug=false if true - daemon = true; - - # show debug messages? - debug = false; - - # polling time in seconds - polling_time = 1; - - # expire time in seconds - # default = 0 ( no expire ) - expire_time = 0; - - # pkcs11 module to use - pkcs11_module = /usr/$LIB/libcoolkeypk11.so; - - # - # list of events and actions - - # Card inserted - event card_insert { - # what to do if an action fail? - # ignore : continue to next action - # return : end action sequence - # quit : end program - on_error = ignore ; - - # You can enter several, comma-separated action entries - # they will be executed in turn - #action = "/usr/sbin/gdm-safe-restart", - # "/usr/X11R6/bin/xscreensaveer-command -deactivate"; - action = "/usr/sbin/gdm-safe-restart"; - } - - # Card has been removed - event card_remove { - on_error = ignore; - #action = "/usr/sbin/gdm-safe-restart", - # "/usr/X11R6/bin/xscreensaveer-command -lock"; - action = "/usr/sbin/gdm-safe-restart"; - } - - # Too much time card removed - event expire_time { - on_error = ignore; - action = "/bin/false"; - } -} diff --git a/sources b/sources deleted file mode 100644 index 18a6646..0000000 --- a/sources +++ /dev/null @@ -1 +0,0 @@ -053e13939b84a58be457a879cb77744e pam_pkcs11-0.6.8-1cbb55e.tar.gz