NAME | SYNOPSIS | DESCRIPTION | EXAMPLES | FILES | SEE ALSO | NOTES
/usr/lib/security/pam_smartcard.so
The Smart Card service module for PAM, /usr/lib/security/pam_smartcard.so, provides functionality for PAM smart card authentication. The pam_smartcard.so module is a shared object that can be dynamically loaded to provide the necessary functionality upon demand. Its path is specified in the PAM configuration file pam.conf.
The Smart Card authentication component provides functions to verify the identity of a smart card user, pam_sm_authenticate(3PAM).
The pam_sm_authenticate() function collects the user input such as user name, PIN number, password and related authentication tokens. It passes this data back to its underlying layer, OCF to perform card based authentication except password. The password is passed from the smart card module to a user-specified PAM module. This PAM module compares the password either entered by the user or downloaded from the card with the password that this module associates with the user. If all the authentication steps are successful, the user is authenticated and this module returns PAM_SUCCESS.
The following options may be passed to the Smart Card service module:
sysolg(3C) debugging information at LOG_DEBUG level.
Turn off warning messages.
Turn on verbose authentication failure reporting to the user.
Specify name of PAM client to use when password authentication is required. This option is used to specify the client name to use when a password authentication is required. This is the name that will be used in a call to pam_start(3PAM) from inside the pam_smartcard module. The appropriate entries in /etc/pam.conf must exist to use this facility. The default value of this option is smartcard_unix.
The following pam.conf entries illustrate the use of the password option:
service type ctrl-flag Module_path Options dtlogin auth required /usr/lib/security/ password=smartcard_unix pam_smartcard.so.1 smartcard_unix auth required /usr/lib/security/ use_first_pass pam_unix.so.1
This example shows that when pam_smartcard needs to perform a password authentication, it will register with PAM as the client name smartcard_unix, and PAM in turn will use the pam_unix(5) module to perform the password authentication, returning the results to pam_smartcard
This module provides the ability to specify the number of retries that the user is allowed when entering an invalid password or invalid PIN. To specify the retry values, edit the /etc/default/login file and add or modify the appropriate parameter. See FILES.
Values can be set for the following retry parameters in the file /etc/default/login. If a parameter is not specified, the default value is used.
Sets the number of invalid password retries allowed. The default is 0.
Sets the number of invalid PIN retries allowed. The default is 0.
The interfaces in libpam are MT-Safe only if each thread within the multithreaded application uses its own PAM handle.
NAME | SYNOPSIS | DESCRIPTION | EXAMPLES | FILES | SEE ALSO | NOTES