1PAM_COCKPIT_CERT(8) pam_cockpit_cert PAM_COCKPIT_CERT(8)
2
3
4
6 pam_cockpit_cert - PAM module for authenticating to Cockpit with a
7 client certificate
8
10 pam_cockpit_cert provides an PAM authentication module for identifying
11 and authenticating users through a TLS client certificate. Commonly
12 this is provided by a smart card, but it's equally possible to import
13 certificates directly into the web browser.
14
15 This requires the host to be in an Identity Management domain like
16 FreeIPA[1] or Active Directory[2], which can associate certificates to
17 users. See the FreeIPA User Certificates documentation[3] for details.
18 The sssd-dbus package must be installed for this to work.
19
20 In authentication mode, pam_cockpit_cert is invoked with the user name
21 unset. It checks whether the web browser presented and validated a TLS
22 client certificate to Cockpit. If so, that gets passed to sssd. If that
23 can successfully map the certificate to a user, this PAM module sets
24 the user name and succeeds, which should be treated as a sufficient
25 authentication.
26
27 Cockpit does not use certificate based authentication by default; it
28 has to be explicitly enabled in cockpit.conf. If not enabled, this PAM
29 module is inert and always returns ignore.
30
32 debug
33 This option will turn on debug logging to syslog.
34
36 success
37 Certificate is present, mapped to a user, and the user name is set
38 in the PAM stack.
39
40 user_unknown
41 Certificate is present, but sssd cannot map it to a user.
42 Effectively a definitive failed authentication.
43
44 ignore
45 The PAM user is already set, so this authentication process does
46 not use a certificate.
47
48 unavail
49 sssd is not available for mapping certificates to users.
50
51 service_err
52 sssd is available in general, but responded with an invalid answer.
53 This might indicate a compatibility problem with a future version.
54
56 The module should be added to service PAM configurations like this:
57
58 -auth [success=done new_authtok_reqd=done user_unknown=die default=ignore] pam_cockpit_cert.so
59 # fallback authentication methods such as pam_unix
60
61
62 This must be first module in the "auth" stack as it sets the PAM_USER
63 variable on successful mapping of a certificate to a user name. Also,
64 if a certificate is being presented, then failure to map that to a user
65 should usually be treated as fatal, without falling back to other
66 methods such as password. Other errors should usually be considered
67 non-fatal, and just try the next authentication method in the stack.
68
70 cockpit.conf(5), cockpit-tls(8), pam.d(5), sssd(8), sssd-ifp(5)
71
73 Cockpit has been written by many contributors[4].
74
76 Please send bug reports to either the distribution bug tracker or the
77 upstream bug tracker[5].
78
80 1. FreeIPA
81 https://www.freeipa.org
82
83 2. Active Directory
84 https://en.wikipedia.org/wiki/Active_Directory
85
86 3. FreeIPA User Certificates documentation
87 https://www.freeipa.org/page/V4/User_Certificates
88
89 4. contributors
90 https://github.com/cockpit-project/cockpit/
91
92 5. upstream bug tracker
93 https://github.com/cockpit-project/cockpit/issues/new
94
95
96
97pam_cockpit_cert 03/31/2021 PAM_COCKPIT_CERT(8)