pam_rsa keypair generator
VM Kari
Mar 30 2006
Version 0.8-5
pamrsakp
- generate keypairs for pam_rsa PAM-authentication module
Table of Contents
pamrsakp
user
hostname
pubdir
privdir
hashtype
usepassphrase
The pamrsakp
is a utility script for creating RSA keypairs
that can be used with the pam_rsa
PAM-authentication module.
All six arguments are required.
- user
User for whom the RSA keypair is created.
- hostname
Target hostname for which the RSA keypair is created. The generated
public key (which is actually contained within an X509 PEM-format
certificate) is meant to be stored on the target host.
- pubdir
Directory into which pamrsakp
should output the generated RSA public key
- privdir
Directory into which pamrsakp
should create a subdirectory based
on a SHA1 hashed hostname.
Depending on the value of hashtype,
pamrsakp
creates the RSA private key in the subdirectory either with
a SHA1 hashed name, or with a name that is not hashed. NOTE: NEVER EVER LOSE
YOUR PRIVATE KEY.
- hashtype
Specify sha1
to generate RSA private key with its filename SHA1 hashed or
specify none
for no hashing.
- usepassphrase
Specify yes
to protect your RSA private key with passphrase-based
encryption. THIS IS RECOMMENDED UNLESS YOU ARE SURE OF WHAT YOU ARE DOING.
You will be prompted for a passphrase and the passphrase will be read
from standard input. Specify no
for an unencrypted RSA private key.
Use with caution.
Issuing a command:
pamrsakp spock startrek.example.com /safedir/pub /safedir/priv sha1 yes
creates an RSA keypair for user spock.
The public key is to be
stored on host startrek.example.com.
User spock would presumably
use a USB memory stick (or other portable media) to store the corresponding
RSA private key. Private key's filename is based on a SHA1 hash, and
the private key itself is encrypted with a passphrase.
- /etc/security/pamrsakp.cnf
- pamrsakp's OpenSSL defaults
This script requires bash and will probably explode if any other shell is used
pam_rsa(8)
Vesa-Matti Kari
email: pamrsa-bugs@laamanaama.helsinki.fi