rpms/pam_pkcs11/devel rh_pam_pkcs11.conf,1.8,1.9
Robert Relyea
rrelyea at fedoraproject.org
Mon May 3 21:21:44 UTC 2010
Author: rrelyea
Update of /cvs/extras/rpms/pam_pkcs11/devel
In directory cvs01.phx2.fedoraproject.org:/tmp/cvs-serv13706
Modified Files:
rh_pam_pkcs11.conf
Log Message:
Update sample config to new way of doing ocsp
Index: rh_pam_pkcs11.conf
===================================================================
RCS file: /cvs/extras/rpms/pam_pkcs11/devel/rh_pam_pkcs11.conf,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -p -r1.8 -r1.9
--- rh_pam_pkcs11.conf 6 Oct 2006 23:44:20 -0000 1.8
+++ rh_pam_pkcs11.conf 3 May 2010 21:21:44 -0000 1.9
@@ -14,9 +14,6 @@ pam_pkcs11 {
# If the smart card is inserted, only use it
card_only = true;
- # Turn on OCSP checking of the certificates
- enable_ocsp = false;
-
# Do not prompt the user for the passwords but take them from the
# PAM_ items instead.
use_first_pass = false;
@@ -52,17 +49,23 @@ pam_pkcs11 {
# must contain an openssl hash-link to each CRL. The default value
# is /etc/pam_pkcs11/crls.
crl_dir = /etc/pam_pkcs11/crls;
-
- # Sets the CRL verification policy. None performs no verification
- # at all, online downloads the CRL form the location given by the
- # CRL distribution point extension of the certificate and offline
- # uses the locally stored CRLs. Auto is a combination of online and
- # offline; it first tries to download the CRL from a possibly
- # given CRL distribution point and if this fails, uses the local
- # CRLs. The default setting is none.
- # crl_policy={none, online, offline, auto}
- crl_policy = none;
+ # Sets the Certificate verification policy.
+ # "none" Performs no verification
+ # "ca" Does CA check
+ # "crl_online" Downloads the CRL form the location given by the
+ # CRL distribution point extension of the certificate
+ # "crl_offline" Uses the locally stored CRLs
+ # "crl_auto" Is a combination of online and offline; it first
+ # tries to download the CRL from a possibly given CRL
+ # distribution point and if this fails, uses the local
+ # CRLs
+ # "ocsp_on" Turn on OCSP.
+ # "signature" Does also a signature check to ensure that private
+ # and public key matches
+ # You can use a combination of ca,crl, and signature flags, or just
+ # use "none".
+ cert_policy=ca, ocsp_on, signature;
}
pkcs11_module opensc {
@@ -91,7 +94,7 @@ pam_pkcs11 {
# given CRL distribution point and if this fails, uses the local
# CRLs. The default setting is none.
# crl_policy={none, online, offline, auto}
- crl_policy = none;
+ cert_policy=ca, ocsp_on, signature;
}
@@ -102,7 +105,7 @@ pam_pkcs11 {
slot_num = 0;
ca_dir = /etc/pam_pkcs11/cacerts;
crl_dir = /etc/pam_pkcs11/crls;
- crl_policy = none;
+ cert_policy=ca, ocsp_on, signature;
}
# Which mappers ( Cert to login ) to use?
More information about the scm-commits
mailing list