PAM Module

Owned by Andrew Petro
Last updated: May 13, 2009 by ScottSVersion comment
2 min read

Yale PAM client distribution

The Yale CAS client distribution includes a PAM module suitable for CAS-authenticating, say, an IMAP server.

esup-portail PAM client distribution

Esup-portail also distributes an enhanced version of the PAM module.

Documentation is available here.

The following are what I believe to be some of the enhancements present in the esup-portail module beyond what is available in Yale PAM_CAS, as of the time of this writing. If this characterization can be made more accurate, please comment upon or edit this Wiki page. However, it is to be expected that esup-portail's documentation of their PAM module is always going to be more up-to-date and authoritative than this Wiki page.

  • improved debugging
  • certificate management: only the higher Certificate of Certificate Authority is necessary
  • Parameters are written in a configuration file (rather than being compiled in):
example pam file
auth sufficient /lib/security/pam_cas.so -simap://imap.univ.fr -f/etc/pam_cas.conf
example /etc/pam_cas.conf
# sample pam_cas config

# host from CAS server. mandatory
host auth.univ.fr

# port from CAS server. Default to 80 or 443, depends from ssl instruction
port 443

# uri to validate ticket. Default to /proxyValidate
uriValidate /proxyValidate

# https or no. values on or off. Default to on.
ssl on

# debug (on) or no (off). debug in syslog, level LOG_DEBUG. Default to off
debug off

# proxy or proxies who deliver Proxy Ticket.
# If no proxy, pam_cas doesn't control it
# It may be several proxy instructions
proxy https://etumel.univ-nancy2.fr/cas/casProxy.php
proxy https://ent1.univ-nancy2.fr/CasProxyServlet
proxy https://ent2.univ-nancy2.fr/CasProxyServlet
proxy https://ent3.univ-nancy2.fr/CasProxyServlet
proxy https://esupdev1.univ-nancy2.fr/julien/CasProxyServlet

# trusted_ca. mandatory if ssl on.
# It a file in pem format. It can contents several certificates
# If the CAS server certificate is auto-signed, the file must content the certificate
# If the certificate is trusted by an Certificate Autority, The file must content
#    certificate from high level CA
trusted_ca /Cert/ac-racine.pem

Thanks to Vincent Mathieu for writing on the CAS discussion list on this point. His email seeded this Wiki page.