- bullseye 239-1
pam_cockpit_cert - PAM module for authenticating to Cockpit with a client certificate
pam_cockpit_cert provides an PAM authentication module for identifying and authenticating users through a TLS client certificate. Commonly this is provided by a smart card, but it's equally possible to import certificates directly into the web browser.
This requires the host to be in an Identity Management domain like FreeIPA or Active Directory, which can associate certificates to users. See the FreeIPA User Certificates documentation for details. The sssd-dbus package must be installed for this to work.
In authentication mode, pam_cockpit_cert is invoked with the user name unset. It checks whether the web browser presented and validated a TLS client certificate to Cockpit. If so, that gets passed to sssd. If that can successfully map the certificate to a user, this PAM module sets the user name and succeeds, which should be treated as a sufficient authentication.
Cockpit does not use certificate based authentication by default; it has to be explicitly enabled in cockpit.conf. If not enabled, this PAM module is inert and always returns ignore.
USAGE IN PAM CONFIGURATION¶
The module should be added to service PAM configurations like this:
-auth [success=done new_authtok_reqd=done user_unknown=die default=ignore] pam_cockpit_cert.so # fallback authentication methods such as pam_unix
This must be first module in the "auth" stack as it sets the PAM_USER variable on successful mapping of a certificate to a user name. Also, if a certificate is being presented, then failure to map that to a user should usually be treated as fatal, without falling back to other methods such as password. Other errors should usually be considered non-fatal, and just try the next authentication method in the stack.
Cockpit has been written by many contributors.
Please send bug reports to either the distribution bug tracker or the upstream bug tracker.
- Active Directory
- FreeIPA User Certificates documentation
- upstream bug tracker