ACD Computing
System Administration
Fedora Linux: Sudo/su and Cryptocard
To use Cryptocard for sudo/su:
- Download and install the authserver software
(specific instructions). If you download the source, edit Makefile to include the
secret key assigned by SCD, and enter "sudo make install" -- the necessary PAM modules
will be installed on Fedora Linux. Be sure to check /usr/local/etc/netperm-table
to make sure you have the right configuration.
- Configure su: PAM is very flexible -- we have configured "su" to
authenticate using Cryptocard using the /etc/pam.d/su file under Fedora
Linux 1.0 below:
- Configure sudo: As with su above, we have configured sudo
using PAM modules to use Cryptocard.
- Lock down other forms of root access: Be sure that root access is only allowed
from the console (for emergencies). If a system cannot contact the Cryptocard server for
instance, you may need to log onto the console. (by logging in via the
console as opposed to from the network, it is less likely for a password
to be sniffed. There are still security risks in console logins, however).
Using Cryptocard for su
/etc/pam.d/su
#%PAM-1.0
# This module has been modified to perform 'su' authentication by
# cryptocard against the UCAR Cryptocard server.
auth sufficient /lib/security/pam_rootok.so
auth sufficient /lib/security/pam_ncarsnk.so.1
auth required /lib/security/pam_deny.so
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
session optional /lib/security/pam_xauth.so
/etc/pam.d/sudo
#%PAM-1.0
# This module has been modified to perform 'sudo' authentication by
# cryptocard against the UCAR Cryptocard server.
auth sufficient /lib/security/pam_ncarsnk.so.1
auth required /lib/security/pam_deny.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
