Google PAM Module
Project description
Google PAM Module
This package implements a Python PAM module to authenticate users against a Google domain. The following features are provided:
Select any Google domain.
Allow only users from a certain group.
A script to install all Google users as system users.
Password caching using files or memcached.
Advanced logging setup.
The code was inspired by the python_pam.so examples and the TracGoogleAppsAuthPlugin trac authentication plugin.
Configuring Google PAM on Ubuntu 12.04 LTS
Install a few required packages:
# apt-get install python-setuptools python-gdata python-bcrypt \ python-memcache libpam-pythonNow install cipher.googlepam using easy install:
# easy_install cipher.googlepam
Add all users to the system:
# add-google-users -v -d <domain> -u <admin-user> -p <admin-pwd> \ -g <google-group> -a <system-admin-group>Note: Use the -h option to discover all options.
Create a /etc/pam_google.conf configuration file:
[googlepam] domain=<domain> admin-username=<admin-user> admin-password=<admin-pwd> group=<google-group> excludes = root [<user> ...] prompt = Google Password: cache = file|memcache [file-cache] file = /var/lib/pam_google/user-cache lifespan = 1800 [memcache-cache] key-prefix = googlepam. host = 127.0.0.1 port = 11211 debug = false lifespan = 1800 [loggers] keys = root, pam [logger_root] handlers = file level = INFO [logger_pam] qualname = cipher.googlepam.PAM handlers = file propagate = 0 level = INFO [handlers] keys = file [handler_file] class = logging.handlers.RotatingFileHandler args = ('/var/log/pam-google.log', 'a', 10*1024*1024, 5) formatter = simple [formatters] keys = simple [formatter_simple] format = %(asctime)s %(levelname)s - %(message)s datefmt = %Y-%m-%dT%H:%M:%SHide contents of the config file from the curious users:
# chmod 600 /etc/pam_google.conf
Put the Google PAM module in a sensible location:
# ln -s /usr/local/lib/python2.7/dist-packages/cipher.googlepam-<version>-py2.7.egg/cipher/googlepam/pam_google.py /lib/security/pam_google.py
Enable pam_google for all authentication. Add the following rule as the first rule in file /etc/pam.d/common-auth:
auth sufficient pam_python.so /lib/security/pam_google.py -c /etc/pam_google.conf
CHANGES
1.3.0 (2012-04-24)
Added ability to cache authentication result, since some uses, such as Apache authentication can cause a lot of requests. File- and memcached-based caches have been implemented and are available/configurable in the configuration file.
Fully stubbed out the Google API for faster and simpler testing.
Removed all traces of Cipher’s specific account details.
Changed all headers to ZPL.
The package is ready for public release.
1.2.0 (2012-04-17)
Do not fail. if the username already exists.
1.1.0 (2012-04-17)
Make the admin group configurable.
1.0.0 (2012-04-17)
PAM module authenticating against users in a group of a particular Google domain.
Script to add all users of a group within a Google domain as system users.
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
