National Center for Supercomputing Applications MyProxy Credential Management Service University of Illinois at Urbana-Champaign

[Valid HTML 4.01]
[Valid CSS]
[Valid Atom 1.0]

(OSI Certified)

PAM is available (and integral to security) in most Unix-like operating systems, including Solaris, Linux, and the BSDs.

Many PAM modules will only run in the root account, so it is recommended to run the myproxy-server as root when using PAM.

PAM stands for Pluggable Authentication Modules. Via PAM, MyProxy can be configured to use an external authentication mechanism -- such as local accounts, a remote LDAP server, or one-time passwords -- instead of using credential encryption passphrases to verify identity.

In addition to the mechanisms mentioned here, PAM modules exist for a huge variety of authentication mechanisms (for example, here are lists of modules available for Linux and FreeBSD) as well as security-related auxiliary functions such as logging and blacklisting.

Contents

For step-by-step instructions on installing MyProxy and Globus Toolkit, see Grid Security from Scratch with MyProxy.

Verifying PAM Support is Available

PAM support was added in MyProxy v2.0 (8 Jun 2005). You can verify if PAM support was compiled in to the myproxy-server by looking for "PAM" in the version string:

  $ myproxy-server -V
  myproxy-server version MYPROXYv2 (v3.4 19 Dec 2005 PAM)

If "PAM" is missing from the version string, this indicates that your system did not provide the needed PAM files for building MyProxy's PAM support. MyProxy requires either /usr/include/security/pam_appl.h or /usr/include/pam/pam_appl.h to be installed for compiling PAM support. If they are not found, MyProxy will build without PAM support. On RedHat Linux, you may need to install the pam-devel package to provide the needed file. You can then re-install MyProxy with PAM support by following the upgrade instructions.

Using PAM with the MyProxy CA

MyProxy can be configured to act as a Certificate Authority to issue credentials to users authenticated via PAM. For more information, please see the MyProxy CA documentation.

Unencrypted Credentials

When using PAM for authentication to retrieve credentials stored in the MyProxy repository, it is simplest to store unencrypted credentials, via the --no_passphrase argument (equivalent to -n) to myproxy-init or myproxy-admin-adduser. That way, the PAM password can change independently of MyProxy and users' stored credentials.

If credentials are encrypted, and MyProxy's PAM policy is set to required, as explained below, then the encryption passphrase must match the PAM password, or else MyProxy will not be able to retrieve the credentials.

Limitations of MyProxy's PAM Support

PAM is a very broad and flexible system, and MyProxy only uses a narrow piece of it: single password authentication. Specifically, MyProxy does not support:

Multiple challenges and responses (Bug 292)

PAM modules can issue multiple "challenges", the most typical of which is a password challenge. MyProxy responds to only two prompts: username and password. It guesses which is which based on simple heuristics: for the username prompt, it sets PAM's PAM_USER_PROMPT setting and then looks for a prompt that matches; for the password prompt, it simply looks for a prompt for which ECHO is turned off (PAM_PROMPT_ECHO_OFF).

PAM Sessions

PAM has facilities for starting and stopping a login "session", which MyProxy does not use. Instead, MyProxy simply authenticates and then terminates the PAM connection. The MyProxy equivalent to a PAM session is the duration of the proxy certificates that it issues, as specified by --proxy_lifetime or -t in myproxy-logon and max_proxy_lifetime in myproxy-server.config.

Configuring MyProxy

By default, PAM support is disabled in MyProxy. To enable it, modify myproxy-server.config, which is usually in /etc or $GLOBUS_LOCATION/etc. It has two fields that are relevant to PAM configuration:

pam
PAM policy. Possible values are:
disabled (default)
PAM is ignored, and MyProxy uses its normal passphrase authentication.
sufficient
Allows PAM and normal MyProxy authentication to coexist. The passphrase may match either the PAM password or the user's credential passphrase -- either is sufficient for authentication. The user's credentials may be either unencrypted or encrypted. If they are encrypted, then PAM is irrelevant for that user -- only the encryption passphrase matters.
required
The username and passphrase must pass PAM authentication. The user's credentials may be either unencrypted or encrypted. If they are encrypted, it must be with the PAM password.
pam_id
The application ID that MyProxy presents to PAM, which determines the configuration file or block that PAM will use. By default, the value is myproxy, but you can piggyback MyProxy on another application's PAM configuration by changing it. For example, using login will typically cause MyProxy to require the same authentication as logging onto the MyProxy server itself.

For general PAM documentation, see:

Configuring PAM

The simplest way to test PAM with MyProxy is to set pam_id to an existing PAM client, such as login or sshd. MyProxy will then have the same authentication requirements as that application.

The pamtester utility program can also be very helpful in testing a PAM configuration before using it with MyProxy.

To configure PAM specifically for MyProxy, one minimal option is to include only two lines: one each for authentication and account verification. The examples below use local accounts for authentication and should work under most Unix-like OSes.

  • Most systems use multiple PAM config files, usually in /etc/pam.d, one for each PAM client. You can create a file at /etc/pam.d/myproxy:

    auth       required	pam_unix.so
    account    required	pam_unix.so
    

    If you have changed MyProxy's pam_id in myproxy-server.config, change the name of the above file to be /etc/pam.d/<pam_id>.

  • If your system uses a single PAM config file, usually at /etc/pam.conf, add these lines to it (the only difference from the standalone config file is the addition of myproxy at the start of each line):

    myproxy	auth       required	pam_unix.so
    myproxy	account    required	pam_unix.so
    

    If you have changed MyProxy's pam_id in myproxy-server.config, replace myproxy with <pam_id>.

The above example uses local accounts. Many other PAM modules are generally available in Unixes and Linux distributions, including OpenLDAP (PAM library pam_ldap.so) and FreeRADIUS (pam_radius.so).

Appendix: Sample Configurations

Debugging LDAP: to test your LDAP configuration, try ldapsearch.

Linux HOWTO | Sun Reference ]

LDAP Sample Configuration

  1. LDAP is usually configured in /etc/ldap.conf or /etc/openldap/ldap.conf. For more complete documentation, see OpenLDAP.org or man ldap.conf. Here is a sample minimal ldap.conf:

    host example.com
    base o=hr,dc=example,dc=com
    pam_password md5
    ssl on
    
    host example.com
    The hostname of the LDAP server.
    base o=hr,dc=example,dc=com
    Search base: the space the LDAP server should search in for user accounts. This example implies the HR organization within example.com.
    pam_password md5
    Send an MD5 hash of the password over the network to the LDAP server rather than the password itself. May vary from server to server.
    ssl on
    Use SSL to encrypt communication with the server. Some servers will not use SSL, in which case you should comment out this line, and others may use TLS instead. Elsewhere in the config file, you can also specify a server certificate trust base, which allows the PAM module to securely verify the server's identity.

  2. If your system uses multiple PAM config files in /etc/pam.d, here is a minimal file that you can place at /etc/pam.d/myproxy:

    auth       required	pam_ldap.so
    account    required	pam_ldap.so
    

    If, on the other hand, your system uses a single /etc/pam.conf, add these lines to it:

    myproxy	auth       required	pam_ldap.so
    myproxy	account    required	pam_ldap.so
    
  3. Edit myproxy-server.config, usually at /etc/myproxy-server.config or $GLOBUS_LOCATION/etc/myproxy-server.config, to enable PAM. Uncomment the pam line and set it to either required or sufficient:

    pam "sufficient"
    

RADIUS Sample Configuration

  1. RADIUS can be configured in /etc/raddb/server. For more complete documentation, see an external source such as FreeRADIUS.org.

  2. If your system uses multiple PAM config files in /etc/pam.d, here is a minimal file that you can place at /etc/pam.d/myproxy:

    auth sufficient pam_radius_auth.so passtoupper
    account sufficient pam_permit.so
    

    If, on the other hand, your system uses a single /etc/pam.conf, add these lines to it:

    myproxy auth sufficient pam_radius_auth.so passtoupper
    myproxy account sufficient pam_permit.so
    
  3. Edit myproxy-server.config, usually at /etc/myproxy-server.config or $GLOBUS_LOCATION/etc/myproxy-server.config, to enable PAM. Uncomment the pam line and set it to either required or sufficient:

    pam "sufficient"
    

Kerberos Sample Configuration

  1. Configure /etc/krb5.conf as appropriate for your Kerberos setup and install a Kerberos host key in /etc/krb5.keytab. For more information about Kerberos, visit the MIT Kerberos and/or Heimdal Kerberos sites.

  2. If your system uses multiple PAM config files in /etc/pam.d, here is a minimal file that you can place at /etc/pam.d/myproxy:

    auth sufficient pam_krb5.so no_user_check validate
    account sufficient pam_permit.so
    

    If, on the other hand, your system uses a single /etc/pam.conf, add these lines to it:

    myproxy auth sufficient pam_krb5.so no_user_check validate
    myproxy account sufficient pam_permit.so
    
  3. Edit myproxy-server.config, usually at /etc/myproxy-server.config or $GLOBUS_LOCATION/etc/myproxy-server.config, to enable PAM. Uncomment the pam line and set it to either required or sufficient:

    pam "sufficient"
    

Last modified 10/16/14.
©2000-2014 Board of Trustees of the University of Illinois.