Chapter 9.  Authentication in ThinLinc

Table of Contents

9.1. Pluggable Authentication Modules
9.1.1. Configuration files for PAM
9.2. Limitations
9.3. Using Public Key Authentication
9.3.1. Introduction
9.3.2. Key Generation
9.3.3. Server Configuration
9.3.4. Client Configuration
9.4. Using Smart Card Public Key Authentication
9.4.1. Introduction
9.4.2. General Requirements
9.4.3. Key Generation
9.4.4. Server Configuration
9.4.5. Client Configuration
9.4.6. Automatic Connection
9.4.7. LDAP Automatic Update (tl-ldap-certalias)
9.5. Using One Time Passwords
9.5.1. Introduction
9.5.2. General Requirements
9.5.3. Configuration for RSA SecurID

In this chapter we will describe how authentication of users is performed in ThinLinc

9.1.  Pluggable Authentication Modules

Authentication of users in ThinLinc is performed using the Pluggable Authentication Modules (PAM). This means ThinLinc can authenticate users using any system for which there is a PAM module. Examples of PAM modules are pam_ldap for accessing LDAP directories (including Novell NDS/eDirectory) and pam_winbind for authenticating against a Windows Domain. Of course, authentication using the standard plaintext password files of Linux is also possible using the PAM module pam_unix.

If ThinLinc should authenticate against the passwd database on the local host, no configuration at all is needed, since this is how most distributions are configured at installation. However, at many sites there is already some type of existing user database. In this chapter we'll go into detail on how to authenticate ThinLinc users against Windows domains and LDAP databases.

9.1.1.  Configuration files for PAM

PAM is configured by editing the files located in the directory /etc/pam.d/ (at least in the distributions we've tested ThinLinc on).

Different Linux distributions have slightly different ways of configuring PAM. The ThinLinc installation program will setup ThinLinc to authenticate using the same PAM setup as the Secure Shell Daemon, by creating a symbolic link from /etc/pam.d/thinlinc to either /etc/pam.d/sshd or /etc/pam.d/ssh, depending on which of the latter files that exists at installation. This seems to work on most distributions. Be aware that the PAM settings for the Secure Shell Daemon might really be somewhere else. For example, on Red Hat distributions, the file /etc/pam.d/system-auth is included by all other pam-files, so in most cases, that is the file that should be modified instead of the file used by sshd.