rpms/pam_pkcs11/devel rh_pam_pkcs11.conf,1.8,1.9

Mon May 3 21:21:44 UTC 2010

Author: rrelyea

Update of /cvs/extras/rpms/pam_pkcs11/devel
In directory cvs01.phx2.fedoraproject.org:/tmp/cvs-serv13706

Modified Files:
	rh_pam_pkcs11.conf 
Log Message:


Update sample config to new way of doing ocsp



Index: rh_pam_pkcs11.conf
===================================================================
RCS file: /cvs/extras/rpms/pam_pkcs11/devel/rh_pam_pkcs11.conf,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -p -r1.8 -r1.9

--- rh_pam_pkcs11.conf	6 Oct 2006 23:44:20 -0000	1.8
+++ rh_pam_pkcs11.conf	3 May 2010 21:21:44 -0000	1.9
@@ -14,9 +14,6 @@ pam_pkcs11 {
   # If the smart card is inserted, only use it
   card_only = true;
 
-  # Turn on OCSP checking of the certificates
-  enable_ocsp = false;
-
   # Do not prompt the user for the passwords but take them from the
   # PAM_ items instead.
   use_first_pass = false;
@@ -52,17 +49,23 @@ pam_pkcs11 {
     # must contain an openssl hash-link to each CRL. The default value
     # is /etc/pam_pkcs11/crls.
     crl_dir = /etc/pam_pkcs11/crls;
-  
-    # Sets the CRL verification policy. None performs no verification
-    # at all, online downloads the CRL form the location given by the
-    # CRL distribution point extension of the certificate and offline
-    # uses the locally stored CRLs. Auto is a combination of online and
-    # offline; it first tries to download the CRL from a possibly
-    # given CRL distribution point and if this fails, uses the local
-    # CRLs. The default setting is none.
-    # crl_policy={none, online, offline, auto}
-    crl_policy = none;
 
+    # Sets the Certificate verification policy.
+    # "none"        Performs no verification
+    # "ca"          Does CA check
+    # "crl_online"  Downloads the CRL form the location given by the
+    #               CRL distribution point extension of the certificate
+    # "crl_offline" Uses the locally stored CRLs
+    # "crl_auto"    Is a combination of online and offline; it first
+    #               tries to download the CRL from a possibly given CRL
+    #               distribution point and if this fails, uses the local
+    #               CRLs
+    # "ocsp_on"     Turn on OCSP.
+    # "signature"   Does also a signature check to ensure that private
+    #               and public key matches
+    # You can use a combination of ca,crl, and signature flags, or just
+    # use "none".
+    cert_policy=ca, ocsp_on, signature;
   }
 
   pkcs11_module opensc {
@@ -91,7 +94,7 @@ pam_pkcs11 {
     # given CRL distribution point and if this fails, uses the local
     # CRLs. The default setting is none.
     # crl_policy={none, online, offline, auto}
-    crl_policy = none;
+    cert_policy=ca, ocsp_on, signature;
 
   }
 
@@ -102,7 +105,7 @@ pam_pkcs11 {
     slot_num = 0;
     ca_dir = /etc/pam_pkcs11/cacerts;
     crl_dir = /etc/pam_pkcs11/crls;
-    crl_policy = none;
+    cert_policy=ca, ocsp_on, signature;
   }
 
   # Which mappers ( Cert to login ) to use?

