Free pam software for linux

pam_siegho is a pam module that helps to defend your computer by closing the login prompts for visitors that repeatedly try to log in unsuccesfully.

Installation:

Just run configure and do the ordinary "make install". Differences between platforms will automatically be handled by the configure script. Let me know if its not.

Usage:

pamtester requires at least three arguments to operate. The first argument is "service", which provides the name of the service. The second one is "user", which provides the name of the user to handle with PAM. The last one is "operation", which specifies the operation for PAM to perform.

Operation may be specified more than once. In that case the operations are done
in the order of occurrence.

Any operation may also be followed by the option flags that are provided between the pair of parenthesis. Flags are all named and combinable or inversible with bitwise operators; "|" (OR), "&" (AND), "^" (XOR) and "~" (NOT) are accepted.

The list of allowed options is shown below:

- PAM_SILENT

- PAM_DISALLOW_NULL_AUTHTOK

- PAM_ESTABLISH_CRED

- PAM_REINITIALIZE_CRED

- PAM_REFRESH_CRED

- PAM_CHANGE_EXPIRED_AUTHTOK

Additional authentication information such as the name of the remote user, the remote host and the tty can be supplied via -I (--item) option.

The following types of information are supported:

- service

- user

- prompt

- tty

- ruser

- rhost

PAM for MyPW project is a PAM module for using the one-time passwords provided by the MyPW service.

PAM for MyPW currently works with most Linux Servers and can be used with software programs such as SSH that support PAM Authentication.

After you compile and install the PAM Module youll need to sign-up for our Free API access account and a Token or MyPW for your Mobile Phone.

You can install the PAM module and implement the MyPW API on an unlmited number of systems.

pam_smxs is a PAM module that authenticates a user using challenge-response. All tokens that support ANSI X9.9 are currently supported and it provides full support for CryptoCard RB1 tokens.

Installation from source:

Unpack the tarball: tar -zxvf pam_smxs-1.6-1.tar.gz
Change into that dir: cd pam_smxs-1.6, and do a ./configure --enable-rb1 issue a make.
After that, you should end op with a pam_smxs.so file in the dir you are in now. A make install should install the module.

Configuration:

After installing the module (it should be in /lib/security), the following is neccesary to make it work:

Edit the /etc/pam.d/xxx file, where xxx is a service, for example login. In that case, edit /etc/pam.d/login

Normally it looks something like this:

#%PAM-1.0
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_pwdb.so shadow nullok
auth required /lib/security/pam_nologin.so
accountrequired /lib/security/pam_pwdb.so
password required /lib/security/pam_cracklib.so
password required /lib/security/pam_pwdb.so shadow nullok use_authtok
password required /lib/security/pam_smxs.so
session required /lib/security/pam_pwdb.so
session optional /lib/security/pam_console.so
session required /lib/security/pam_limits.so

Im using this on instead :
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_smxs.so
auth required /lib/security/pam_nologin.so
accountrequired /lib/security/pam_smxs.so
password required /lib/security/pam_smxs.so
session required /lib/security/pam_smxs.so
session optional /lib/security/pam_console.so
session required /lib/security/pam_limits.so

This will let the users authenticate using pam_smxs. Also see the PAM documentation for futher configuration directives.

Then use the cryptoadm program to add / remove / modify users.

pam_eps is a PAM module that allows you to authenticate users against a remote server with a ssh daemon enabled. If the user exists in local machine, he is allowed entry.

But if the user doesnt exist (yet exists in the remote machine and the password supplied is correct), a new user with that pass and logname will be created.

Pam_p11 is a plugable authentication module (pam) package for using crpytographic tokes such as smart cards and usb crypto tokens for authentication.
Pam_p11 uses libp11 to access any PKCS#11 module. The project should be compatible with any implementation, but it is primarely developed using OpenSC.
Pam_p11 implements two authentication modules:
- pam_p11_openssh authenticates the user using his openssh ~/.ssh/authorized_keys file.
- pam_p11_opensc authenticates the user using certificates found in ~/.eid/authorized_certificates. It is compatible with the older opensc "pam_opensc" authentication module (eid mode).
Pam_p11 is very simple, it has no config file, no options other than the PKCS#11 module file, does not know about certificate chains, certificate authorities, revocation lists or OCSP. Perfect for the small installation with no frills.
Pam_p11 was written by an international team and is licensed as Open Source software under the LGPL license.
Enhancements:
- The wiki export script was updated.
- Some functions were made static.
- Variables were renamed to avoid conflicts with glibc functions.
- The password is no longer saved.

Linux-PAM project offers a flexible mechanism for authenticating users.
For the uninitiated, we begin by considering an example. We take an application that grants some service to users; login is one such program.
Login does two things, it first establishes that the requesting user is whom they claim to be and second provides them with the requested service: in the case of login the service is a command shell (bash, tcsh, zsh, etc.) running with the identity of the user.
Traditionally, the former step is achieved by the login application prompting the user for a password and then verifying that it agrees with that located on the system; hence verifying that as far as the system is concerned the user is who they claim to be.
This is the task that is delegated to Linux-PAM.
From the perspective of the application programmer (in this case the person that wrote the login application), Linux-PAM takes care of this authentication task verifying the identity of the user.
The flexibility of Linux-PAM is that you, the system administrator, have the freedom to stipulate which authentication scheme is to be used. You have the freedom to set the scheme for any/all PAM-aware applications on your Linux system.
That is, you can authenticate from anything as naive as simple trust (pam_permit) to something as paranoid as a combination of a retinal scan, a voice print and a one-time password!
To illustrate the flexibility you face, consider the following situation: a system administrator (parent) wishes to improve the mathematical ability of her users (children).
She can configure their favorite ``Shoot em up game (PAM-aware of course) to authenticate them with a request for the product of a couple of random numbers less than 12. It is clear that if the game is any good they will soon learn their multiplication tables.
As they mature, the authentication can be upgraded to include (long) division!
Linux-PAM deals with four separate types of (management) task. These are: authentication management; account management; session management; and password management.
The association of the preferred management scheme with the behavior of an application is made with entries in the relevant Linux-PAM configuration file.
The management functions are performed by modules specified in the configuration file. The syntax for this file is discussed in the section below.
By way of explanation, the left of the figure represents the application; application X. Such an application interfaces with the Linux-PAM library and knows none of the specifics of its configured authentication method.
The Linux-PAM library (in the center) consults the contents of the PAM configuration file and loads the modules that are appropriate for application-X.
These modules fall into one of four management groups (lower-center) and are stacked in the order they appear in the configuration file. These modules, when called by Linux-PAM, perform the various authentication tasks for the application.
Textual information, required from/or offered to the user, can be exchanged through the use of the application-supplied conversation function.
Enhancements:
- This release contains new translations and improvements to pam_limits.so, pam_access.so, pam_cracklib.so, pam_namespace.so, and pam_selinux.so.

PAM_Extern is a PAM module that hands the username and password to an external application or shellscript for further handling.
The theory is that while a lot of people might be able to create authentication schemes, few are are able to do so using C and the PAM library.
Installation:
make
make install
Enhancements:
- The password is now passed on stdin instead of an environment variable to prevent it from showing up in "ps auxe".
- Every "malloc" call is now checked for success.
- Debug output is now realized with PAMs D macro instead of fprintf(stderr) and _pam_overwrite and _pam_drop are used instead of free().

pam_imap is a PAM module that authenticates against a remote IMAP or IMAPS server.
pam_imap program supports multiple servers, SSL, password caching, user blacklists (for admin users), and many configuration abilities.
Examples of recommended use:
1) A lab of UNIX/Linux machines that would require an easily accessible password database from an IMAP server
2) Authenticating users against a centralized password server that you have no control over, and it conveniently has an IMAP server. (The arms-tied-behind-your-back scenario)
3) Authenticating with applications that do not run as root. (Apache is a good example -- read user-testimonials below)
4) An IMAP cluster authentication relay -- pam-imap can be used for a cheap IMAP cluster solution. Have one or two master IMAP servers that have a username/password database (be it LDAP, shadow, etc) and an IMAP server. Have several cluster node servers to handle the bandwidth of client requests , and use pam-imap on each node to authenticate against the master server(s). (The node machines will use pam-imap in their imap service file)
Tie everything together with round-robin DNS and NFS mail folders, and you have yourself an IMAP cluster!
Main features:
- User BlockList: Allows pam-imap to ignore authenticating users such as root, apache, and others.
- Password caching: Possibly usefull in situations where network connections are slow, or server loads are high. Has a few security risks however. Checkout the README file for more info.
- Support for username@domain.com style logins. With Micro$oft style IMAP servers, the "@domain.com" can be appended to the UNIX username for easy compatability.
- Customizable "Password: " string... You could change it to anything! Maybe, "IMAP Password: " The possibilities are endless.