Professional Documents
Culture Documents
Issue 1.4
April 2009
Contents
1. Introduction 1
2. Reference Material 1
3. The Linux PAM 2
3.1 Overview 2
3.2 PAM Configuration File Structure 4
3.3 PAM Modules 6
3.4 Related Modules 9
3.5 PAM Configuration File Content 10
3.6 Constraints and Recommendations 14
4. Communication Manager Default PAM Files 15
5. Configuration file for "su" 16
6. Making Changes 17
7. RAMDISK 19
8. Recovery 19
9. User Login Characteristics 19
10. Home Directories 20
11. Configuring Multiple Servers 20
12. Tested AAA Server Configurations 22
12.1 LDAP / NSS / NSCD 22
12.1.1 Open LDAP 22
12.1.2 OpenLDAP Server 27
12.1.3 Other LDAP servers 30
12.2 RSA SecurID 32
12.3 SafeWord 34
12.4 RADIUS 38
12.5 Other Configurations 40
13. Other PAM Features 40
13.1 pam_access 40
13.2 pam_cracklib 41
13.3 Login Messages (pam_issue and pam_motd) 42
13.3.1 pam_issue 43
13.3.2 pam_motd (Message of the Day) 43
13.3.3 SSH 43
13.3.4 Telnet 44
13.3.5 HTTP 44
13.3.6 FTP/SFTP 45
13.4 pam_lastlog 45
13.5 pam_limits 45
13.6 pam_tally 45
13.7 pam_time 46
1. Introduction
This document provides an overview of the processing of administrator logins in Communication Manager (CM).
Beginning with release 4.0, customer access to the Linux Pluggable Authentication Module (PAM) subsystem’s
configuration files is supported. The PAM subsystem controls user1 login processing. Both local host accounts as well
as Authentication, Authorization, and Accounting (AAA) via an external server (e.g. LDAP) are supported.
In releases prior to Communication Manager 4.0, all logins were required to be local host accounts and login
administration was accomplished through the Communication Manager System Administration Terminal (SAT)
interface. Beginning in CM4.0, the requirement that all logins be local host accounts is removed for most accounts,
and management of user accounts is removed from the SAT. Standard Linux commands (e.g. useradd) plus enhanced
"wrapper" commands (e.g. cmuseradd) as well as web pages are provided to configure logins appropriate to the CM
platform.
Note that this document is not a programming or administration manual. Rather, it is a collection of information
related to the supported features and configuration of the PAM subsystem as it pertains to a Communication Manager
server. Administrators will need to study the PAM Administrator’s Guide, documentation for individual PAM modules,
documents for the applications running on external servers, and the Administrator Guide for Avaya Communication
Manager before attempting to administer this aspect of a CM server. Root access to the CM server is required to
perform this administration.
This document is targeted at experienced Linux administrators.
The information in this document and the features described apply specifically to Communication Manager servers.
This information specifically does not apply to the Server Availability Management Processor (SAMP) card present in
selected Communication Manager servers.
2. Reference Material
Key documentation on PAM can be obtained from the kernel web site here:
http://www.kernel.org/pub/linux/libs/pam/
There are 3 PAM documents of interest on the kernel site:
• The System Administrators’ Guide:
http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam.html
• The Module Writers’ Manual:
http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/Linux-PAM_MWG.html
• The Application Developers’ Manual:
http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/Linux-PAM_ADG.html
The original RFC for PAM can be obtained form the Open Group web site here:
• http://www.opengroup.org/tech/rfc/mirror-rfc/rfc86.0.txt
LDAP documents:
• http://www.tldp.org/HOWTO/LDAP-HOWTO/index.html
• http://www.faqs.org/docs/Linux-HOWTO/LDAP-Implementation-HOWTO.html
• http://www.ldapman.org/articles/
• http://www-128.ibm.com/developerworks/linux/library/l-openldap/
An LDAP Server and associated tools
• http://www.openldap.org
1. Throughout this document "user" refers to administrative logins and specifically excludes telephone users.
2. RSA SecurID® is a registered trademark of RSA Security®. SafeWord® is a registered trademark of Secure Computing.
PAM Modules
Module Config
Files
config
Figure 1. PAM
Not every point of access into the server "talks" to the PAM engine directly as Figure 2. on page 4 illustrates. The direct
CM SAT interface (def-sat), secure FTP (sftp), tftp, and telnet (in.telnet) are accessed through xinet.d and in turn all
use a module named login to handle logins. Getty, which listens on serial ports in a general Linux system, also uses
login. Other modules such as PPP and SSH are "PAM-ified" and talk to the PAM engine directly. These modules are
PAM Applications. You will notice that http.d is crossed out. Although http.d can use the PAM subsystem, the web
pages in Communication Manager are themselves PAM applications and do user authentication directly as opposed
PAM Applications
def-sat ppp.d
PAM Modules
vsftpd ssh.d
xinet.d
PAM securetty
in.tftpd
login Module Config
Files
in.telnetd
su config
getty http.d
3. This is not strictly true. The PAM modules to support RSA SecurID and SafeWord are not provided. To use one of these services directly
from the Communication Manager server (as opposed to being behind a RADIUS or LDAP server), a license must be purchased from RSA
Security® or Secure Computing respectively, and the client software installed on the Communication Manager server in the field.
Accounting
Password
Session
Each configuration file is a flat text file with lines containing 4 fields separated by white space as follows:
module-type control-flag module-path arguments
Table 2 indicates the content of each of the fields in each line in a configuration file.
• The first field, Module Type, identifies one of the 4 sections of the configuration file and must contain one of the
values shown in column 1 of Table 2 . Lines pertaining to auth appear at the beginning of the file, followed by lines
for account, password and session.
• The third field contains the PATH to the PAM module to be invoked. If the supplied PATH does not begin with
a slash, the module must be stored in /lib/security.
• The fourth field contains arguments to be passed to the PAM module identified in the module path and
documentation for the specific module must be consulted for details. The second field is the most complicated and
must contain one of the keywords shown4.
The PAM engine processes entries in each section of a configuration file in the order in which they appear in the file.
The value of the control flag (field 2) affects how the lines are processed as follows:
required If the control flag has the value required, then the PAM module identified on this line must
return success for this section of the PAM processing to succeed. If this PAM module returns
4. Actually, the keywords are short hand for a more precise set of specific keyword value pairs. Most of the time these short-hand keywords are
all that is needed. Consult the PAM Administrator’s Guide for complete details.
Important! Communication Manager is built upon the Linux operating system from Red Hat. Red Hat delivers
operating system components in files known as Red Hat Package Manager (RPM) files. RPM files are somewhat like a
sophisticated version of ZIP files and contain the software as well as scripts to install it in appropriate places and
perform other tasks. Although Communication Manager does not load all the RPMs available from Red Hat, when
Communication Manager needs some portion of the software in an RPM, the entire RPM is usually loaded. If the
RPM contains components that are not used by Communication Manager, these components are usually still loaded
but just never configured to be used. This is done to manage deliveries from Red Hat in an economical manner.
Components within an RPM may have cross linkages such that even though a given component is not used directly,
it may use another component "under the covers". Additionally, contents of RPMs may change from operating system
release to release. It is therefore much safer (bug-wise) and less work to just load the entire RPM. It also allows security
updates to be provided more quickly than would be possible if Avaya repackaged the RPM. An exception is made to
this policy if such action would introduce a security vulnerability.
The RPM for PAM modules delivers a number of components that Communication Manager does not use or that
may not be appropriate for use on Communication Manager. For example, the module pam_xauth is related to
X-windows which Communication Manager does not support. Table 3. on page 7 illustrates the PAM modules that
might be resident in /lib/security. However, just because the module is here doesn’t imply that its use is recommended
or supported. Comments in the table identify PAM modules not suited for use with Communication Manager.
In addition to the above PAM modules, modules for RSA SecurID and SafeWord may be loaded in the field. These
modules are licensed and must be obtained from their respective vendors.
is not complete and specific arguments are omitted for clarity. Lines marked as optional are added or removed to
support specific behavior or external AAA servers. In particular pam_external_AAA_goes_here is a place holder for
something like PAM_LDAP. The notation (optional) is not a parameter but indicates that the entry is optional in the
PAM configuration. The following points are worth noting:
• The appearance of pam_asg twice is NOT a typographical error or mistake! The two lines must be entered in
the order shown and can then be considered to act in unison as a single module. Logins that are ASG logins
must not be processed by subsequent modules; the double entry implements this constraint while allowing
non-ASG logins to be processed normally.
• As explained in the previous section, order of lines in this file is very important; lines are processed in each
section in the order in which they appear in the file.
Login: joesmo
Screen 1
Password: ******
In this case the user, joesmo, is completely unaware that pam_asg was called. A "normal" password set of
prompts appears. If the ID is found by pam_asg, then pam_asg will prompt the user with a challenge and the
user will see Screen 2 instead of Screen 1:
Login: joesmo
Challenge: 651-9306 Product ID: 1000000001
Screen 2
Response:
In either case (ASG login or password login), the user sees a "normal" prompt sequence which matches the
user’s expectations.
Case 2 pam_unix will prompt the user for an ID and a password; the user will see a screen like
Screen 1 above. Pam_unix will then attempt to find the user in the /etc/passwd,
/etc/shadow files. If the ID is found, the user will experience a "normal" login sequence.
However, if the ID is not found, pam_asg will be called and be passed both the ID and
password. If pam_asg finds this user in the ASG data base, pam_asg will ignore the
entered password and prompt with an ASG one-time-password challenge. If this user is
expecting to be authenticated via ASG, then the user is expecting a screen like Screen 2.
However, the user will first see a screen like Screen1 above; pam_unix will wait for the
user to enter a password. Since the user does not have a "password", the user will not
Login: joesmo
Screen 3 Password: *****
Challenge: 651-9306 Product ID: 1000000001
Response:
Although confusing to a user, the user might make a guess, enter a return to the password
prompt, see the expected challenge, and log in successfully. Automated services tools,
however, would not make such a guess and would fail to log in. These tools would have
to be re-programmed to get past this situation.
• Pam modules that are capable of prompting the user for an ID or password generally accept two parameters,
try_first_pass and use_first_pass. These parameters control how the module prompts the user when multiple
pam_modules that might prompt the user are active in the PAM configuration file. Generally the first mod-
ule that prompts the user (must be pam_asg for Communication Manager) is not configured with either
parameter and subsequent modules are configured with "use_first_pass". The first module (pam_asg) passes
the credentials entered by the user to the subsequent modules and these modules use this information to try
to authenticate the user. This causes the user to be prompted once. If the subsequent modules are coded with
"try_first_pass" then they may re-prompt the user again if the passed credentials are not valid.
Pam_asg normally prompts the user for an ID. Pam_asg then looks for this ID in the ASG files on the server.
If the user is found there, then pam_asg handles the user’s validation. However, if the user is not found in
the ASG files, then pam_asg passes the ID to the subsequent modules. Pam_asg supports a special command
line parameter, collect_password, that causes pam_asg to prompt the user for a password if the user is not
found in the ASG files. This password is not used by pam_asg but is passed to the subsequent modules.
If the PAM configuration file is as follows:
auth required pam_asg
auth sufficient pam_asg audit
auth sufficient pam_ldap try_first_pass
and the user is not found in the ASG files, then the user may see a prompt like this:
Login: joesmo
LDAP Password: *****
Login: joesmo
Password: *****
A slightly different situation occurs with pam_securid. Pam_securid does not support the use_first_pass
parameter. So if the PAM configuration file looks like this:
auth required pam_asg
auth sufficient pam_asg audit
auth sufficient pam_securid
Login: joesmo
Enter Passcode:
Login: joesmo
Password:*******
Enter Passcode:
Even if the user enters the correct SecurID credential to the password prompt, they will still see the passcode
prompt and must respond to it with the correct pass code.
A local host account that is neither ASG protected nor SecurID protected will also receive the "Enter Pass-
code" prompt because the pam_securid entry occurs in the mv-auth file before the pam_unix entry. If the
pam_asg line does not contain the "collect_password" parameter, then the user will see the passcode prompt
followed by the password prompt. If the pam_asg line is coded with the "collect_password" parameter, then
the user will see the password prompt first, followed by the passcode prompt. The user will need to enter the
correct password to the password prompt and just enter a return to the passcode prompt in either case. This
is an unfortunate consequence of the way the SecurID module is designed.
• Pam_deny always denies access, when present is the last entry in a section, and its control flag = required.
This means that if all the preceding modules were not able to validate the user, the default behavior is to deny
access. For example, one could have an auth section like this:
auth required pam_env
auth sufficient pam_ldap
auth required pam_deny
In the event that the LDAP server is unreachable, the user is denied access. This example illustrates a particu-
larly bad configuration to make a point. If the LDAP server is not reachable, no one logs into this machine.
A local host account should always be provided so that the machine can be accessed locally regardless of net-
work connectivity. For example:
auth required pam_env
auth sufficient pam_ldap
auth sufficient pam_unix
auth required pam_deny
• The control flag is very important. Generally all entries in a section of the PAM configuration file are not set
to "required". Consider what would happen in the example above if both pam_ldap and pam_unix were set
to "required". The user would have to have a valid password in the local host as well as in the ldap server and
if the ldap server were not reachable for any reason, no one logs in; not even local host accounts.
• Pam_securetty is used to control which ports root may log in from. Ideally, one should never be able to log in
as root directly. Rather, a user should be required to log in first as a non-root user and then "su" to root.
Pam_access provides a more sophisticated and flexible way to accomplish the same goal. Pam_access is used
instead of pam_securetty on all Communication Manager servers because it provides greater flexibility in
configuration.
• Pam_issue is supplied but its use is not recommended. See section 13.3 on page 42 for a more complete dis-
cussion.
The content of the configuration file for the login process looks like this:
#%PAM-1.0
auth required pam_securetty.so
auth required pam_stack.so service=mv-auth
auth required pam_nologin.so
account required pam_stack.so service=mv-auth
password required pam_stack.so service=mv-auth
#pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_stack.so service=mv-auth
session required pam_loginuid.so
session optional pam_console.so
#pam_selinux.so open should be the last session rule
session required pam_selinux.so multiple open
In all configuration files, lines beginning with a pound symbol (#) are comment lines. The lines for pam_selinux are
inherited from the Red Hat distribution and not used. Selinux is not supported by Communication Manager due to
serious performance problems with this version of Linux. Notice the lines containing pam_stack.so. These lines invoke
the content of the file mv-auth as described earlier. Normally, only the mv-auth file needs to be changed to use an
external authentication server.
Notice that lines for external AAA servers are included in the configuration but commented out. Note also that in
order to use either RSA SecurID® or SafeWord®, a license must be purchased and the PAM application software
loaded.
Remember that the configuration files for the PAM modules need to be edited for use with the external AAA server.
Recall from section 3.2 on page 4 that there are two ways of specifying the second field in the PAM configuration files.
The simple way uses a single key word such as required or sufficient. The more detailed way uses a series of keyword/value
pairs to more precisely define behavior. The LDAP entry in the account section in Figure 6 is an example. The purpose
of this entry is to reduce the delay time for logins if the LDAP server is not available or the user not known in LDAP.
Configuration here has important implications for policy enforcement. See the following for further discussion.
http://meltin.net/people/martin/publications/polythenepam.pdf
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=55193
# su should not call pam_stack, because mv-auth uses pam_access which will fail when trying to su to root.
6. Making Changes
Important! The PAM subsystem is a very critical component of the system. It controls all user access. The PAM
subsystem is also completely unforgiving. It will do exactly as it is programmed. The problem here is that what the
programmer believes to be the direction and how PAM interprets the instruction may be two completely different
things. The result can be that all administrative users are locked out of the system. A conservative approach to making
changes should be employed. The following conservative guidelines should be considered carefully.
1. Think through and document all changes in advance of making changes on the Communication Manager
server.
2. Perform a full system backup of all configuration files, especially Communication Manager translation files.
3. If at all possible, use a sacrificial PC running the same version of Linux as is used on Communication Man-
ager and test the PAM configuration on that PC first. Only when it is proven on this PC, make changes to
the Communication Manager server.
4. If possible, do initial testing using a non-production AAA server. This will support greater freedom in
enabling debugging or trying solutions that may be more difficult to do on the production server.
5. Make changes via a laptop/PC connected to the Communication Manager server’s dedicated laptop inter-
face. If this is not possible make changes via a laptop/PC co-located with the Communication Manager
server. The tools and procedure will work remotely, but if a network disruption causes the session to be dis-
connected at the wrong time, the Communication Manager server could be rendered inaccessible.
6. Make sure the firewall is open when needed. Specifically, open the firewall ports first before enabling use of
an external AAA service. Close the firewall last when removing use of an external AAA service.
5. The file name mv-auth.local is descriptive, but the file name z is easier to type correctly when under stress.
8. Recovery
In a Linux desktop PC, recovery from serious problems can be accomplished by booting the system into single user
mode. This provides console root access without a password and bypasses the PAM system entirely. However, the
Communication Manager server does not have a console (monitor, keyboard, mouse) and some server versions do not
have a video card present; some do not support a video card (e.g. S8400). For those server models that support adding
a monitor, keyboard and mouse (possibly by adding a video card), a single user boot is a possible recovery mechanism.
Another possibility for recovery is to physically remove the hard drive from the Communication Manager server,
mount this hard drive in Linux PC as a second drive, edit the files on that PC, and finally return the hard drive to the
Communication Manager server. If such a PC is not available, a third recovery option is to boot the server from the
Compact Disk (CD) software distribution and re-install the software from the beginning. A final recovery action is to
return the system to Avaya for repair.
If the Communication Manager server becomes inaccessible due to an incorrect PAM configuration, the process of
recovery can be very painful and result in a serious system outage. A conservative and careful approach to making
changes is recommended.
Logins that are to have access to either the Communication Manager telephony application or the server web pages
must also be a member of exactly one "profile" group. These groups have a default number in the range 10,000 to
10,069 inclusive and are named prof0 through prof69 respectively. This range can be moved via administration on
the server’s web page. For example it could be moved to 20,000 to 20,069. See the Communication Manager
documentation for further information.
The output of the Linux "id" command would look similar to this for the dadmin login, for example.
$ id
uid=2000(dadmin) gid=555(susers) groups=555(susers),10002(prof2)
See also Figure 15. on page 28 for an example LDAP entry for this login. Note that PosixAccounts, PosixGroups and
shadowAccount are required or a suitable mapping provided. Ensure that group names are spelled correctly and the numbers
are as shown above or results may be unpredictable. Also ensure that data entered in the LDAP store is entered consistently with
respect to letter case. A user name entered in upper or mixed case in the PosixAccounts entry but in lower case in the PosixGroups
entry will not work properly. Logins assigned to the remote group should not be members of any other group.
Logins that are members of the susers group have root level access to many commands, including the ability to
create and modify logins. Be aware of this when assigning logins to this group.
All of the files in the special pam_config backup set are included in the security set. When the security set is
restored, special code is used to attempt to prevent loss of data such as might happen when restoring from a prior
release. These special checks are not performed when restoring the pam_config backup set. The files in the backup are
simply copied in place without modification. The pam_config backup set is expressly for manual movement of files to
another server running the same release of software and it is expected that the administrator will ensure correctness
following the restore.
When restoring this backup set on a system running RAMDISK, the following steps must be followed:
CM Server PAM
pam_ldap
LDAP
Network
NSCD NSS Server
undesirable behavior.
Some references on configuring LDAP for user authentication include the following:
• http://www.tldp.org/HOWTO/LDAP-HOWTO/index.html
• http://www.faqs.org/docs/Linux-HOWTO/LDAP-Implementation-HOWTO.html
• http://www.ldapman.org/articles/
• http://www-128.ibm.com/developerworks/linux/library/l-openldap/
12.1.1 Open LDAP
At a very high level, the process for configuring a Communication Manager server to use LDAP authentication
involves the following activities:
6. Sun ONE (Sun Open Net Environment) is a marketing strategy and set of products from Sun Microsystems.
Content of mv-auth, NSS Switch and NSS Cache configuration files for this configuration is illustrated in Figure 9. on
page 24 through Figure 11. on page 24.
There are two configuration files for the LDAP interface. The PAM modules use the configuration file in
/etc/ldap.conf. The LDAP tools (e.g. ldapsearch) use the file in /etc/openldap/ldap.conf. Both ldap.conf files should
contain the same content.
Figure 12. /etc/ldap.conf for openLDAP Figure 13. /etc/ldap.conf for openLDAP
(unencrypted link) (one way authentication)
When configuring the ldap.conf files, the following points are worth noting:
• The host entry generally expects an FQDN rather than an absolute IP address. This creates a depen-
dency on DNS which may not be desirable. An entry for this FQDN can be made in the local
/etc/host file to avoid this dependency. e.g.
111.222.333.444 myldapserver.someplace.com
• Although documentation indicates that an FQDN must be used in the Common Name (CN) of the
certificates, experimentation suggests this is not strictly true. At least for the openLDAP server, the
following is observed:
- The value assigned to "host" in the ldap.conf files must be the same string as assigned to the
CN of the LDAP server’s certificate. That is, the "host" value can be a numeric IP address if
the CN is an IP address or the host can be an FQDN if the CN is an FQDN.
- The openLDAP server does not seem to check the CN of the client’s certificate. i.e. the CN
of the client’s certificate does not have to have an FQDN.
- Your LDAP server may enforce different rules.
• When using two-way authentication with TLS, the Communication Manager server needs a digital
certificate. There are multiple options for this certificate including the following:
1. The certificate already assigned to the Communication Manager server may be used if the
LDAP server will accept a certificate that does NOT have the server’s FQDN in the common
name in the certificate. That is, the Communication Manager certificate contains
Subject: C=US, O=Avaya Inc., OU=Communications Manager, OU=ID-s1-0-1-1, CN=Communication Man-
ager-0-1-1
where the 0-1-1 will vary by server. This type of certificate is acceptable to the openLDAP
server.
7. Perhaps a more modern structure than the one illustrated is to base the DN on the enterprise internet presence. e.g. dn: cn=dadmin ou=Peo-
ple dc=mycompany dc=com for the login, dadmin, at company mycompany.com.
When accounts are created on the local host, the file /etc/login.defs contains default values for these parameters that
are used in the initial account creation only. Parameters are stored in /etc/shadow for each user and /etc/login.defs
has no effect after the login is created.
Host Restriction:
The configurations shown in Figures 9 on page 24 and 12 on page 25 through Figure 15. on page 28 will allow all
users access to all Communication Manager servers that are configured for LDAP authentication. It is possible to
restrict users to specific Communication Manager servers. The ldap.conf file supports the following two configuration
variables:
pam_filter
pam_check_host_attr
The pam_filter variable expects an attribute name and value. Virtually any attribute may be chosen. For example, the
sample user configuration above contains a class, ipHost, which contains the attribute, ipHostNumber. (This is not
shown in the figures but is present in the schema.) If the LDAP entry for a userX has
ipHostNumber = CM_main_serverA
and the ldap.conf file for server someserver.com contains the entry,
pam_filter ipHostNumber=CM_main_serverA,
then userX can log into the server someserver.com. A user configured without this value cannot. This approach has the
advantage that the LDAP schema does not have to be modified if there is a spare attribute in the user’s record and the
disadvantage that the chosen variable is probably not intended for this purpose.
The pam_check_host_attr variable is set to either yes or no. For example,
pam_check_host_attr yes
When set to yes, a user attempting to log in must have a HOST attribute configured and the value of this attribute
must be the FQDN of the server to which the user needs access. This can have one little problem. In the sample LDAP
schema shown above, the user does not have a HOST attribute. Further, the default schema that arrives with
openLDAP does have an account class that has a host attribute, but it is structurally incompatible with class, person.
But to use pam_check_host_attr, the user MUST have a host attribute. The schema must be augmented or modified
to make this possible. There is an existing schema named ldapns.schema available from
http://www.math.ias.edu/doc/nss_ldap-226/ldapns.schema
that includes a host attribute. Copy this schema to the LDAP server, edit the slapd.conf file to include the schema and
restart the LDAP server. Then add the host variable to each user record and assign an FQDN. Multiple host variables
In order to enforce the local host check, the mv-auth file entry for ldap must be configured equivalent to required in
the account section. If the entry is only sufficient, for example, the user will see something similar to the following on
login but will still log in successfully anyway.
Access denied for this host
-bash-3.00$
In this case the user received the denied message but was logged in just fine.
12.1.3 Other LDAP servers
LDAP servers from SUN ONE and Microsoft (Active Directory) are supported using the same PAM_LDAP client as
is used for openLDAP on the Communication Manager server. Configuration files for these servers (/etc/ldap.conf
and /etc/openldap/ldap.conf) have the same structure (but different content) as for the openLDAP server. Active
Directory requires use of a TLS link if the user is allowed to change their password via Communication Manager.
Although the other two LDAP servers do not enforce this condition, TLS should be used. Otherwise, the user’s
password is passed in the clear.
The LDAP.conf file for SUN ONE is shown in Figure 17. on page 31.
8. This link is not valid but is shown here because it is included in the file.
#binddn
uid=root,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot
binddn cn=Directory Manager
bindpw root1234
timelimit 10
bind_timelimit 10
pam_login_attribute uid
#pam_password exop
#pam_password crypt
pam_password clear
nss_base_passwd ou=People,dc=avaya,dc=com
nss_base_shadow ou=People,dc=avaya,dc=com
nss_base_group ou=Groups,dc=avaya,dc=com
#nss_map_attribute rfc2307attributemapped_attribute
nss_map_objectclass rfc2307objectclassmapped_objectclass
#ssl start_tls
#ssl on
tls_cacertfile /etc/aaa/myCA.pem
#tls_reqcert allow
#tls_reqcert demand
tls_reqcert never
tls_cert /etc/aaa/server.pem
tls_key /etc/aaa/server.key
Earlier versions of Active Directory required a special plug-in (AD4Unix) on Active Directory which is described here:
http://www.securityfocus.com/infocus/1563. The ldap.conf file content for that case is illustrated in Figure 18. on
page 32. A separate white paper (available from the same web site as this paper) titled, Avaya CM Login with Windows
Active Directory Services, is available for configuration and setup of the later releases of Active Directory.
nss_base_passwd cn=Users,dc=AAAtest,dc=vita,dc=local
nss_base_shadow cn=Users,dc=AAAtest,dc=vita,dc=local
pam_login_attribute sAMAccountName
pam_filter objectclass=User
ssl on
TLS_CACERT /etc/aaa/adcert.pem
TLS_REQCERT demand
Figure 18. ldap.conf for Microsoft Active Directory
CM Server
PAM PAM
SecurID
/etc/passwd SecurID
pam_securid Server /etc/shadow pam_securid Ntwk Server
/etc/group
Ntwk lacfile
asgfile
pam_ldap
LDAP
Server Each login must have an
NSCD NSS entry in RSA SecurID and in
the local host
CM Server
Each login must have an
Figure 19. RSA SecurID + LDAP entry in LDAP and in RSA Figure 20. RSA SecurID + Local Host
SecurID
Note: LDAP can be used for accounting. If so then, LDAP must be configured as illustrated in
Figures 10 through 14.
Note: The sd_pam.conf file will be installed when the software is installed. In addition to this file, a binary file,
#VAR_ACE :: the location where the sdconf.rec, sdstatus.12 and RSA SecurID files will go
VAR_ACE=/var/ace
#INCL_EXCL_GROUPS :: 1 to always prompt the listed groups for RSA SecurID authentication (include)
# :: 0 to never prompt the listed groups for RSA SecurID authentication (exclude)
INCL_EXCL_GROUPS=0
/var/ace/sdconf.rec, must be generated on the RSA SecurID server and copied to the Communication Manager
server. Consult the RSA SecurID documentation for details.
partition. Prior to the upgrade, edit mv-auth and comment out the use of SecurID. Following the upgrade, after the
system is booted into the new partition, copy the SecurID files from the now off-line partition to the running partition.
If RAMDISK is in use, then
cp /root2/lib/security/pam_securid.so /diskroot/lib/security/pam_securid.so
ln -s /diskroot/lib/security/pam_securid.so /lib/security/pam_securid.so
cp /root2/etc/sd_pam.conf diskroot/etc/sd_pam.conf
ln -s /diskroot/etc/sd_pam.conf /etc/sd_pam.conf
Note that sdconf.rec does not have to be copied because it is in the /var partition which is common to both code
partitions.
If RAMDISK is not in use then:
cp /root2/lib/security/pam_securid.so /lib/security/pam_securid.so
cp /root2/etc/sd_pam.conf /etc/sd_pam.conf
Then edit mv-auth to re-enable use of SecurID. Strictly speaking, mv-auth does not have to be edited as described, but
doing so removes possible problems due to the modules not being present.
If using batch tools such as the upgrade tool to upgrade a number of servers, disable SecurID in mv-auth prior
to invoking the tool, and re-enable after the upgrade.
If using SecurID on a system running IA770 with digital networking, be aware that IA770 uses port 5500 tcp
for message waiting signaling to the IA770 message manager client. The IA770 port cannot be changed. SecurID may
use port 5500 udp by default. This should not be a conflict since IA770 is using TCP and SecurID UDP. However,
if it is desired to avoid the same port all together, it must be changed for SecurID. This is done on the SecurID server.
The sd_pam.conf file must be regenerated and re-installed on the Communication Manager server.
12.3 SafeWord
SafeWord is a token-based authentication method from Secure Computing that provides only for user authentication.
User authorization must be provided either via parallel local host accounts or from LDAP/NSS. If LDAP/NSS is used,
the configuration files for NSS are as shown in Figure 10. on page 24 through Figure 14. on page 26. The PAM
application for SafeWord is not provided on the Communication Manager server. A license for this client must be
purchased from Secure Computing and the software loaded onto the server in the field in /etc/pam_safeword.cfg and
/lib/security/pam_safeword.so.1. These configurations are illustrated in 23 and 24; module configuration files follow.
The sample configuration file contains comments to say that the default port is 7482, but vendor documentation
tested suggested 5030 TCP; verify with vendor documentation for your software.
The safeword files, (pam_safeword.cfg and pam_safeword.so.1) may be distributed on a CD which includes a
JAVA-based installer. Not all Communication Manager servers have a CD drive. This CD must be installed first on a
separate Linux PC and the two files then copied from there to the Communication Manager server.
Note: LDAP can be used for accounting. If so then LDAP must be configured as illustrated in
Figures 10 through 14.
A version of the following file, /etc/pam_safeword.cfg, will be installed when the software is installed.
#
# "/etc/pam_safeword.cfg"
#
# SafeWord PAM module Configuration File
# (for use with /usr/lib/security/pam_safeword.so.1)
#
#
# This file determines several operating parameters for "pam_safeword.so.1".
# It may be edited with any text editor. Values are case sensitive.
#
# Lines beginning with a pound sign "#" are treated as comments (the "#"
When the Communication Manager server is upgraded, the SafeWord software must be re-installed in the new
partition. Prior to the upgrade, edit mv-auth and comment out the use of SafeWord. Following the upgrade, after the
system is booted into the new partition, copy the SafeWord files from the now off-line partition to the running
partition.
If RAMDISK is in use, then
cp /root2/lib/security/pam_safeword.so.1 /diskroot/lib/security/pam_safeword.so.1
ln -s /diskroot/lib/security/pam_safeword.so.1 /lib/security/pam_safeword.so.1
cp /root2/etc/pam_safeword.cfg /diskroot/etc/pam_safeword.cfg
ln -s /diskroot/etc/pam_safeword.cfg /etc/pam_safeword.cfg
Then edit mv-auth to re-enable use of SafeWord. Strictly speaking, mv-auth does not have to be edited as described,
but doing so removes possible problems due to the modules not being present.
If using batch tools such as the upgrade tool to upgrade a number of servers, disable SafeWord in mv-auth prior
to invoking the tool, and re-enable after the upgrade.
12.4 RADIUS
RADIUS provides only for user authentication and accounting. User authorization must be provided either via
parallel local host accounts or from LDAP/NSS. If LDAP/NSS is used, the configuration files for NSS are as shown
in Figures 10 on page 24 through 14 on page 26. This configuration is illustrated in Figures 26 on page 39 and 27 on
page 39. The configuration files for RADIUS are shown in Figures 28 on page 39 and 29 on page 40. Note that
RADIUS uses ports 1812 and 1813 (UDP).
SecurID/ SecurID/
SafeWord
CM Server SafeWord
PAM Server PAM Server
/etc/passwd RADIUS
RADIUS
pam_radius RADIUS /etc/shadow pam_radius Ntwk
/etc/group Server
Server
lacfile
Ntwk asgfile
LDAP
LDAP
NSCD NSS Server
CM Server
Additionally, external services may use LDAP for storage if they are capable and so enabled. How external services store
their data is transparent to Communication Manager.
13.1 pam_access
Pam_access is used to control system access by individual users or groups of users. To use pam_access, it must be
enabled or added to the PAM configuration file (Figure 6. on page 16) and the rules defined in the file
/etc/security/access.conf. Lines in this file have the form:
permission: users: origins
Communication Manager is shipped with a file that contains these lines
# deny all access to the serial port
-:ALL:ttyS0
# block root access everywhere except console ports
-:root:ALL EXCEPT tty0 tty1 tty2 tty3 tty4 tty5 tty6 tty7 tty8
# only members of the group "remote" should be
# allowed to connect via the modem
+:remote:usb/ttyACM0
13.2 pam_cracklib
Pam_cracklib is a module that can be used to force new passwords to have certain characteristics. For example,
• a new password cannot be a palindrome (a word spelled the same in either direction) such as radar.
• a new password cannot be the old password with just case changes.
• a new password cannot be a rotated version of the old one.
• a minimum length can be enforced.
• a new password cannot be too "close" to the old one. For example, new password equal the old pass-
word with only one character changed.
• a new password can be forced to have a mix of characters (letters, numbers, specials).
• a new password cannot be one that has been recently used. The number of recently used passwords
saved is controlled by the "remember" parameter for pam_unix in the password section of mv-auth.
e.g. password pam_unix remember=10. By default none are saved.
Pam_cracklib is already enabled in the default mv-auth file. There is no configuration file; behavior is controlled
entirely by arguments on the cracklib invocation line. Cracklib parameters are rather obtuse. Hopefully, the following
doesn’t add to the confusion.
Cracklib has two kinds of rules, internal compiled-in rules and rules which may be manipulated via command line
parameters. The internal rules cannot be changed except by recompiling cracklib and include the following.
1. Passwords that are palindromes are never permitted
2. A new password must be different from the old password
3. The difference between the old and new passwords cannot be just a change of case (upper to lower or lower
to upper).
4. A new password cannot be a scramble of the old password or a rotated version of the old one.
5. The password cannot be too simple. For example aaaaaa.
6. The password cannot be a word in a built-in cracklib dictionary of common words stored in
/usr/lib/cracklib_dict. (binary file)
7. The new password cannot be one previously used (stored in /etc/security/opasswd).
8. The password must be a minimum of 6 characters log.
In addition to the built-in rules, cracklib accepts the following parameters on its command line:
There is a built in rule in cracklib that passwords must be at least 6 characters long. This rule takes precedence over
any other rules regarding password length. The minimum required length can be increased beyond 6 by changes to
the last 5 parameters in Table 6. on page 41. All 5 parameters affect the minimum length together.
The parameter minlen (minimum length) looks to be the minimum length for a password, but it is not. The minimum
acceptable length of a password is also influenced by dcredit, ucredit, lcredit, and ocredit. These parameters can have
either positive or negative values in any combination. Positive values for these parameters reduce the minimum length
requirement. Negative values will be explained shortly. This is best illustrated with a simple example. Consider the
following pam_cracklib configuration:
password required /lib/security/pam_cracklib.so retry=3 minlen=10 dcredit=3 lcredit=0 ucredit=0 ocredit=0
If a user enters a password of 10 random lower case characters, the password will be accepted. However, if the user
enters a password with 4 random lower case letters intermixed with 3 digit characters, the 7-character password is
accepted. That is, dcredit=3 reduces the length required for each digit present in the password up to 3. The password
can have more than 3 digits, but the additional digits will not affect the minimum length requirement. Similar rules
apply for lcredit, ucredit, and ocredit. If cracklib is configured like this,
password required /lib/security/pam_cracklib.so retry=3 minlen=12 dcredit=1 lcredit=1 ucredit=1 ocredit=1
then an 8 character password will be accepted provided it has 1 upper, 1 lower, 1 digit, and 1 special character. It will
obviously have to have more than 1 of at least one type of these characters in order to achieve a length of 8. So the
following password would be accepted
4A3d.wpq
even though minlen=12 and the password is only 8 characters long. Notice that even though there are 2 digits in the
password, it still has to be 8 characters long because dcredit=1. If dcredit had been set to 2, a 7 character password
containing 2 digits would have been acceptable.
Notice that the "credit" parameters did not force the user to have a password with a particular character composition.
The user was simply allowed to choose a shorter password if the specified characters were used.
It is possible to force the password to contain a mix of characters by setting one or more of the "credit" parameters to
a negative value. The following configuration,
password required /lib/security/pam_cracklib.so retry=3 minlen=10 dcredit=-3 lcredit=0 ucredit=0 ocredit=0
will require passwords to be a minimum of 10 characters long and also require 3 of the characters to be digit characters.
The configuration
password required /lib/security/pam_cracklib.so retry=3 minlen=10 dcredit=-3 lcredit=0 ucredit=0 ocredit=2
would require passwords to contain 3 digits. If the password also contains 2 special characters, then the length may be
as short as 8; if no special characters are used, then the length must be 10.
Note: Because there is a built in minimum length of 6, one may encounter unexpected results when setting the
minlen=6 in combination with "credit" values. For example, minlen=6 dcredit=-1 (that’s a minus 1) should allow a
password of kdu8rg but it doesn’t. However, minlen=8 dcredit=-1 will accept a password of kdu8rgbd. This is called a
bug.
recommended. Other means for displaying the issue message are described below.
For new system installs, Communication Manager will install a file named /etc/issue.avaya in the active partition and
then copy this file to /etc/issue, again in the active partition. The issue.avaya file contains some default text that may
be used as desired. On an upgrade, a new /etc/issue.avaya will be installed from the distribution. If an /etc/issue file
exists in the current running partition, it will be copied unmodified to the new partition. If it does not exist, then the
/etc/issue.avaya file will be copied to /etc/issue in the new partition. A restore to defaults will copy /etc/issue.avaya
to /etc/issue and overwrite any changes that may have been made there.
Note that the client that is used to access the system can also affect when, how, and if the user sees the issue message.
13.3.2 pam_motd (Message of the Day)
Pam_motd is used in the session section of the PAM configuration file. Pam_motd displays the content of a text file in
/etc/motd to a user AFTER successful login. To use this feature, edit the desired text into /etc/motd and then
uncomment (or add) the pam_motd line in the PAM configuration file. See Figure 6. on page 16. Note also text
restrictions described in section 3.5 on page 10.
13.3.3 SSH
The SSH daemon is configured via the file, /etc/ssh/sshd_config. There are three entries in this file that are of interest
with regard to login message display:
PrintLastLog no
PrintMotd no
Banner /etc/issue
The line PrintLastLog yes, will cause a line of the following form to appear immediately after a successful login:
Last login: Mon Jul 17 11:37:10 2006 from someplace.dr.avaya.com
This line appears regardless of the configuration of pam_lastlog in the PAM configuration files. If the line
session required /etc/security/pam_lastlog never
is added to mv-auth, then two such lines will be displayed on login. The line from pam_lastlog will look similar to this:
Last login: Mon Jul 17 15:04:50 2006 from someplace.dr.avaya.com on pts/2
is added to the mv-auth file, the message of the day will be displayed twice. The two mechanisms work independently.
The line, Banner /etc/issue, will cause the content of the file /etc/issue to be displayed. Any file can be specified on
the Banner line. However, SSH will display the content of the /etc/issue file first, followed by whatever file is named,
if it is different from /etc/issue. If the named file is /etc/issue then its is displayed only once. Exactly when this file
is displayed depends on the client but it is usually seen by the user between entering their user name and password.
Placing a call to pam_issue in the mv-auth file has no effect on SSH. i.e. SSH is not integrated with pam_issue.
See also the discussion regarding interactions with pam_tally in section 13.6 on page 45.
13.3.4 Telnet
Telnet is not a "pam-ized" application. As illustrated below, Telnet uses the login process to process user logins. This
PAM Modules
Module Config
Files
config
means that the user experience during login is a combination of the characteristics of the telnet daemon, in.telnetd,
and the login process. The in.telnetd daemon is hard coded to display the content of /etc/issue.net prior to the login
prompt. Additionally, the telnet daemon seems to be incompatible with use of pam_issue entirely. Adding pam_issue
to the mv-auth file prevents a user from logging in via telnet at all. If telnet is to be used, /etc/issue should be copied
to /etc/issue.net, assuming the messages are to be the same, and pam_issue not used.
By default, login will display the time of last login from /var/log/lastlog, and will also display the message of the day
file from /etc/motd. However, if a zero length file named .hushlogin (note first character is a period) is in the user’s
home directory, then login will not display this information.
Additionally, if the following lines are placed in the mv-auth file,
session required /etc/security/pam_lastlog never
session required /etc/security/pam_motd
the user will see the time of last login and message of the day from these entries. That is, if the .hushlogin file is NOT
present, the user would see the time of last login and message of the day twice, once from the login process and again
from the PAM entries. Telnet has the same behavior as SSH regarding display of time of last login when both methods
are employed.
13.3.5 HTTP
The web pages for the Communication Manager server are hard coded to display the content of the /etc/issue file on
the "home" page and display the /etc/motd file after successful login. The only way to remove this display is to remove
the files.
13.4 pam_lastlog
Pam_lastlog can be used to display a message to the user at login time to tell the user the time of their last login to this
system. Pam_lastlog keeps track of user logins in the file /var/log/lastlog. To use this feature, uncomment the lastlog
entry or add it to the mv-auth configuration file (Figure 6. on page 16). Pam_lastlog accepts several parameters to
control the message it displays; see the PAM Administrator’s Guide for further details. See also notes about SSH and
telnet in sections 13.3.3 on page 43 and 13.3.4 on page 44. Pam_lastlog is required by the unused_login_audit and for
generating reports regarding login activity.
13.5 pam_limits
Pam_limits is used to restrict resources such as the amount of CPU time, number of open files, number of processes,
etc. that a user may access. These limits are more appropriate to a general purpose computing platform than to the
Communication Manager server because these limits are controlled by the Communication Manager application.
Attempting to change these limits via PAM may cause unexpected behavior. There are, however, two limits that can
be set, maxlogins and maxsyslogins. The first controls the maximum number of sessions that may be active
simultaneously for a particular user and the second controls the maximum number of simultaneous sessions for all
users taken together. To use pam_limits to limit the number of sessions, pam_limits must be enabled in the PAM
configuration (Figure 6. on page 16) and the /etc/security/limits.conf file must be edited to set values for maxlogins
or maxsyslogins.
13.6 pam_tally
Pam_tally is used in both the auth and account section of the PAM configuration file and is used to deny access to a
user after N failed login attempts. To use this feature, it must be configured in the mv-auth file (see Figure 6. on
page 16). There is no additional configuration file. However, there are important parameters on the pam_tally line. In
particular the number of unsuccessful attempts should be explicitly set. e.g. deny=5. After this many failed attempts
the account becomes locked and must be reset by a root user via the program /sbin/pam_tally. (Note that this is a
command and is not the same as the pam module of the same name.) If the parameter, unlock_time = T, is set, then
the account will automatically become enabled again, T seconds after it became locked. e.g. unlock_time=600 causes
the account to automatically unlock 10 minutes after it locks. In the standard implementation of pam_tally, there is
no time limit on the number of failed login attempts. That is, if
pam_tally.so deny=3 unlock_time=600
and a user enters a bad password today, stops trying to login, comes back tomorrow and tries one more time
unsuccessfully, stops and comes back the next day and enters a 3rd bad password, the account becomes locked.
Further, the time T starts over if the user tries again while the account is locked.
Avaya has modified pam_tally to accept a new parameter, unlock_reset. If this parameter is present on the pam_tally
line, then both the attempt count and the time are cleared after unlock_time=T seconds of no activity on the next
attempt. That is, if
pam_tally.so deny=3 unlock_time=600 unlock_reset
and the user enters three bad passwords, stops trying for a period longer than 10 minutes, and then tries a 4th time,
the account is unlocked and the count of attempts is set to 1, corresponding to the current attempt. The reset occurs
on the 4th attempt; there is no audit to perform the reset at the time the timer expires. The user can try bad passwords
forever as long as they don’t try faster than once every 10 minutes. If the user tries faster than once every 10 minutes,
There is an interaction between the configuration of the ssh daemon and the deny setting for pam_tally. The ssh
daemon will, by default, deny access for any given session after 6 invalid attempts to log in, regardless of how pam_tally
is configured. The message (for the login "junk") looks something like this:
This may be changed in /etc/ssh/sshd_config by the addition of the parameter MaxAuthTries. From the man page for
sshd_config:
MaxAuthTries Specifies the maximum number of authentication attempts permitted per connection.
Once the number of failures reaches half this value, additional failures are logged. The
default is 6.
If "pam_tally deny=10" in mv-auth were to be configured and the user attempted to login repeatedly with a bad
password, by default, the ssh daemon would display the above message after 6 failed attempts and terminate the
session. If the user starts another session and continues to try, then after 4 more attempts, pam_tally will lock the
account. If the quiet parameter is present on the pam_tally line, the user will not be aware of this lock and may
continue trying until the 12th attempt, at which point the ssh daemon will display the message and terminate the
session. If the quiet parameter is not present, then the user will see "Account Locked" for each invalid attempt after
10 (in this example).
13.7 pam_time
Pam_time is used to control access based on time of day and day of week. To use pam_time, it must be enabled or
added to the PAM configuration file (Figure 6. on page 16) and the rules defined in the file /etc/security/time.conf.
© 2006 Avaya Inc. All Rights Reserved. Avaya and the Avaya Logo are trademarks of Avaya Inc. or Avaya ECS Ltd., a wholly owned
subsidiary of Avaya Inc. and may be registered in the US and other jurisdictions. All trademarks identified by ® and TM are registered
trademarks or trademarks, respectively, of their owners.
• cert.cnf
• serial
• index.txt
First create the configuration file and edit as needed for your particular situation. Then run the makeCA script to
create a root and name it myCA. Next run the makeServer script to create a certificate for a server.
openssl x509 \
-text \
-in myCA.pem \
-out myCA.txt
ServCert=$1
if [ -z $ServCert ]; then
echo " USAGE: makeServerCert <CertName> "
exit 1
fi
echo ""
echo ""
echo "(1)make a key"
openssl ca \
-verbose \
-days 365 \
-config cert.cnf \
-extensions usr_cert \
-cert myCA.pem \
-keyfile myCA.key \
-in $ServCert.csr \
-out $ServCert.pem
echo ""
echo ""
echo "(4) Creating Text Output of Certificate"
openssl x509 \
-text \
-in $ServCert.pem \
-out $ServCert.txt
[ new_oids ]
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
# A few different ways of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match
########################################################
[ req ]
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name= req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca# The extentions to add to the self signed cert
# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString.
# utf8only: only UTF8Strings.
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
# so use this option with caution!
string_mask = nombstr
# Organizational Names:
# Common Name:
commonName = Common Name
commonName_default = myldapserver.someplace.com
commonName_max = 64
[ usr_cert ]
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Certificate Policies
certificatePolicies = ia5org,@capol
[ req_attributes ]
# Nothing here
[ v3_req ]
# Extensions to add to a certificate request
BasicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
certificatePolicies = ia5org,@capol
######################################################
# Extensions for a CA
######################################################
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
# Certificate Policies
certificatePolicies=ia5org,@capol
######################################################
# Extensions for a SA
######################################################
[ v3_sa ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = CA:false
# Key Usage
keyUsage = digitalSignature
extendedKeyUsage = codeSigning
# Certificate Policies
certificatePolicies=ia5org,@capol
#####################################################
# Generic Certificate Policies
#####################################################
[capol]
#policyIdentifier=
#CPS.1=
#userNotice=
[capoln]
#explicitText=
#organization=
#noticeNumbers=
[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always,issuer:always
[ engine ]
default = openssl
# rsa = openssl
# dsa = openssl
# dh = openssl