pam_gate is pam authentication module for gate-sso project. It's heavily inspired by pam-http from Kragen Sitaker and then we forked it from https://github.com/beatgammit/pam-http Jameson Little's repo but since it diverged so much in terms of functionlity and also it started moving towards different curl based password authentication - then we just moved it into new repo, since there is no way this will be going back there. Most probably original repo's functions are still there but they are heavily modified.
--
pam_gate is pam authentication module, we can simply put it inside one of the files in /etc/pam.d/
Most of the time /etc/pam.d/common-auth
is the right place to put it. With following configuration
auth sufficient pam_gate.so url=https://<your gate host address> token=<your gate token>
account sufficient pam_gate.so url=https://<your gate host address> token=<your gate token>
You also need to put pam_gate.so
file to appropriate place, I am looking for someone to create packages, but in absense of that in Ubuntu this should goto /lib/*/security
or /usr/lib/security
in some distros, if you can't figure it out, please create an issue, we will be able help you setup this.
Soon you should be able to get a package and automated deploy scripts.
The old and original intro
"This module is heavily inspired by the pam-http module by Kragen Sitaker. I rewrote it largely because I wanted to MIT license it (instead of GPL) and because there was some profanity in the source. Also, the version I modeled this off of didn't even compile because it used an old version of libcurl."
I forked it from https://github.com/beatgammit/pam-http Jameson Little's repo, but this gone into multuple changes.
So now what it does is something simple.
Expects a URL
auth sufficient gate_pam.so url=https://<URL>?user=<username>=password=<password>
account sufficient gate_pam.so
Since I user google authenticator as password, that's why I did not care about obsfucating the password, but if you want to authenticate against your own DB, then you might want to make that change.
The .so file should be put in /lib/*/security
and the PAM config files will need to be edited accordingly.
The config files are located in /etc/pam.d/
and the one I changed was /etc/pam.d/common-auth
. i
This is NOT the best place to put it, as sudo uses this file and you could get unexpected results. But if you have any other suggestions please let me know.
auth sufficient mypam.so url=https://localhost:2000
account sufficient mypam.so
Sufficient basically means that if this authentication method succeeds, the user is given access.
Contributor: Ajey Gore