If you have not already done so, you first need to follow the instructions on how to configure a
Installation Instructions
Install pam_gss
Install the pam_gss packages using one of the following commands, according to your OS distribution.
CentOS / RH / SLtruetrue
Debian / Ubuntu / Raspbiantruetrue
Alpine Linuxtruetrue
Configure the .gss_eap_authorized_anchors file
Since the PAM module does not make use of the , a static list of IDP's certificate fingerprints needs to be configured in order to avoid pam_gss accepting a malicious entity impersonating end user's IDP.
That is achieved by creating the file .gss_eap_authorized_anchors in the /root directory. Its format is as follows:
The realm and fingerprint portions are case-insensitive. The fingerprint is the , the realm is the same as the realm in the .
Configuration Instructions
pam_gss is configured by including the following line in the desired /etc/pam.d/ configuration file, right after the execution of the pam_unix module.
true
The configuration file depends on the application and OS you are trying to configure. In particular:
Linux console
Edit the indicated file for your system to make it match the following stanzas:
RH / CentOS / SL
bash/etc/pam.d/system-authtrue
Debian / Ubuntu / Raspbian
bash/etc/pam.d/common-authtrue
Alpine Linux
bash/etc/pam.d/base-authtrue
GDM
Edit the indicated file for your system to make it match the following stanzas:
RH / CentOS / SL
bash/etc/pam.d/password-authtrue
SElinux
If SElinux is in Enforcing mode, GDM will not be able to access to /root/.gss_eap_authorized_anchors.
You can workaround this limitation by running GDM in permissive mode, using the following command:
true
Debian / Ubuntu / Raspbian
bash/etc/pam.d/common-authtrue
bash/etc/pam.d/gdm-passwordtrue
ScreensaverIf the screensaver locks the screen, you won't be able to unlock it using your password, as it expect's the password of the local account instead. As a workaround, you must use the "Login as a different user" and log in again. This will actually unlock the session rather than creating a new one.
Account mapping
When you authenticate using your federated identity, it must be mapped into a local account in the system. For doing so, read our General account mapping advice page before you go any further to get an overview of the general options available for mapping federation provided identities to local accounts.
Then refer to our page.
Customising the value of GSS-Acceptor-Service-Name
By default, pam_gss uses host as the default value for GSS-Acceptor-Service-Name attribute. This is the same value used by SSH and other applications. If you want to be able to distinguish between them in your RP proxy or IDP, you can change this by adding the service_name=value to the pam_gss.so line. For example
bash/etc/pam.d/common-authtrue
Logging in using pam_gss
When the application requires a username, use your full NAI (e.g. johnsmith@example.com).
When the application requires a password, use your password as usual.
If you are using the Moonshot 2FA module, you must use your password concatenated with your OTP code (e.g. mypasswdendshere054448)
If successful, you should be logged in as the local user that your account is mapped to (see previous section).
Ensure that the account that the user is being mapped to (via whatever method) actually exists beforehand!