-
Notifications
You must be signed in to change notification settings - Fork 0
/
pam_pcsc_cr.8
95 lines (94 loc) · 2.94 KB
/
pam_pcsc_cr.8
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
.\"Copyright (c) 2013 Eugene Crosser
.\"
.\"This software is provided 'as-is', without any express or implied
.\"warranty. In no event will the authors be held liable for any damages
.\"arising from the use of this software.
.\"
.\"Permission is granted to anyone to use this software for any purpose,
.\"including commercial applications, and to alter it and redistribute it
.\"freely, subject to the following restrictions:
.\"
.\" 1. The origin of this software must not be misrepresented; you must
.\" not claim that you wrote the original software. If you use this
.\" software in a product, an acknowledgment in the product documentation
.\" would be appreciated but is not required.
.\"
.\" 2. Altered source versions must be plainly marked as such, and must
.\" not be misrepresented as being the original software.
.\"
.\" 3. This notice may not be removed or altered from any source
.\" distribution.
.\"
.TH PAM_PCSC_CR 8 "18 Dec 2013" PAM_PCSC_CR PAM_PCSC_CR
.SH NAME
pam_pcsc_cr \- Module for challenge-response authentication
.SH SYNOPSYS
.B pam_pcsc_cr.so [options]
.SH DESCRIPTION
This is a PAM module for crypto-token based authentication.
It only provides authentication component, the rest are stubs.
The module uses the contents of the auth file created with the
.B pam_cr_setup
command and optionally a password provided by the user to construct
challenge that is sent to the crypto-token over
.B pcsclite
framework. The token's response is used to decipher the encrypted part
of the file. If decryption is successful, then the extracted shared
secret is used to produce ithe expected response to the future
(different) challenge, encrypted again with the expected response,
and stowed into the file. Additional payload that was decrypted on
the way is optionally injected into the PAM framework as AUTH_TOKEN
to be later used by keyring-unlocking module.
.SH OPTIONS
.B verbose
\- write more error messages to syslog.
.PP
.B noaskpass
\- do not try to ask the user for the challenge password, use empty
string for the password.
.PP
.B injectauth
\- inject payload as PAM_AUTHTOK for the benefit of subsequent PAM modules.
.PP
.B path=<string>
\- template used to find the file.
.PP
.B backend:key=value
\- option specific to the crypto-token. At present, only Yubikey Neo
crypto-token is supported, and the only option is
.B ykneo:slot=[1|2].
.PP
.SH "MODULE TYPES PROVIDED"
.PP
All module types (\fBaccount\fR,
\fBauth\fR,
\fBpassword\fR
and
\fBsession\fR) are provided, but only \fBauth\fR is not a stub\&.
.SH "RETURN VALUES"
.PP
PAM_SUCCESS on successful authentication, error indication otherwise.
.RE
.SH "EXAMPLES"
.PP
An example usage for
/etc/pam\&.d/login
would be:
.sp
.if n \{\
.RS 4
.\}
.nf
# Authenticate the user
auth required pam_pcsc_cr\&.so injectauth
.fi
.if n \{\
.RE
.\}
.sp
.SH COPYRIGHT
2013 Eugene G. Crosser
.br
Released under zlib Open Source license.
.SH SEE ALSO
.BR pam "(3), "ykpersonalize "(1), "pam_cr_setup "(8)