Sections

About GridPP

Documents

Activities

Management

Wiki

Help Pages

PAM-Grid for Linux

PAM-Grid is a PAM module which tests passwords as a user's passphrase with Globus's grid-proxy-init. This means that if you log in to a system that has PAM-Grid installed, and give your Globus key's passphrase instead of your Unix password, then you will be given access to the system and a normal proxy created just as if you had logged in and then done grid-proxy-init.

(The idea is that you use the PAM module on your desktop Linux machine and can then get access to other Grid aware machine without having to run grid-proxy-init explicitly: this is similar to modified versions of xlogin that automatically perform a klogin for AFS based systems.)

An RPM suitable for use with the Globus RPM is available in the production area of the download directory. (There is a tar file in the sources directory too.) Please send comments, corrections or suggestions to Andrew McNab <mcnab@hep.man.ac.uk>

Notes

  • This is currently an alpha quality release: please try it out and let me know about problems with them on your configuration.
  • The RPM's have been built to be installed after the Globus 1.1.3 RPM
  • The module was original produced by Alex Martin a.j.martin@qmw.ac.uk based on the AFS PAM module by Tobias Schaefer T.Schaefer@science-computing.de Some removal of references to AFS was done by Andrew McNab, along with the RPM packaging.
  • The RPM only affects login via ssh, xdm, gdm and kde, with modifications to the corresponding files in /etc/pam.d using the script /usr/sbin/add-grid-pam
  • Additional methods of login can be included by running add-grid-pam with the (short) filename of a file in /etc/pam.d as its single argument. For example /usr/sbin/add-grid-pam login
  • Existing files in /etc/pam.d are saved with suffix .gridsave and are reinstated when the RPM is uninstalled.
  • By using the PAM module, you are restricting access to the machine on the basis of the passphrase in the user's key file. This means that if another user can gain access to their .globus directory and insert another key with a different passphrase, they can gain entry again in the future (this is a similar vulnerability to that introduced by ssh's authorized_keys file.)
  • NB key passphrases can be changed using Globus's grid-change-pass-phrase command.

(Up to the Globus on Linux pages.)

Last modified Wed 26 November 2003 . View page history
Switch to HTTPS . Website Help . Print View . Built with GridSite 1.4.3
For more about GridPP please contact Neasan O'Neill