This binary implements the client side of the GLOME Login protocol. It is written to be a replacement of login(1).
- Create a configuration file, see example.cfg.
- Try it out by running
glome-login -c glome.cfg -- root
In order to reduce external dependencies, a custom parser is used to read the configuration file. The parser supports a simplified version of the INI syntax with the following limitations:
- Quoting and escaping is not supported.
- Comments are allowed only at the start of the line and can
begin with either
#or;.
The installation is dependent on what system you are running.
Create a override file for the getty instance e.g. in
/etc/systemd/system/serial-getty@.service.d/glome.conf.
[Service]
ExecStart=
ExecStart=-/sbin/agetty -l /usr/local/sbin/glome-login \
-o '-- \\u' --keep-baud 115200,38400,9600 %I $TERM
Alternatively or for a normal VTY, use
/etc/systemd/system/getty@.service.d/glome.conf.
[Service]
ExecStart=
ExecStart=-/sbin/agetty -l /usr/local/sbin/glome-login \
-o '-- \\u' --noclear %I $TERM
glome-login uses error tags to communicate errors.
This error means that glome-login could not figure out what service key to
use. This most likely means that you have not specified a service key in the
configuration file (by default /etc/glome/config).
pam_glome.so library implements the PAM authentication module for the
GLOME Login protocol.
- Install the library into the system dependent location for PAM modules
(for example
/lib/security/pam_glome.so). - Enable and configure PAM module for a specific service (for example
/etc/pam.d/login):
auth requisite pam_glome.so
PAM module supports the following options:
config_path=PATH- location of the configuration file to parse (defaults to/etc/glome/config)key=KEY- use hex-encodedKEYas the service key (defaults to key from configuration file)key_version=N- useNfor the service key version (defaults to key version from configuration file)prompt=PROMPT- challenge prompt (defaults to prompt from configuration file)debug- enable verbose loggingprint_secrets- enable logging of secrets (INSECURE!)host_id=NAME- useNAMEas the host-idephemeral_key=KEY- use hex-encodedKEYinstead of the ephemeral secret key (INSECURE!)
PAM module uses error tags to communicate errors in the syslog messages.
Dockerfile included in the repository creates a Docker image that can be used
to test glome-login and the PAM module.
Docker image for GLOME needs to be built first using the following command:
$ docker build -t glome -f kokoro/docker/Dockerfile .
Container is than started in the background with two TCP ports published to the host:
$ container=$(docker run -d -p 2022:22 -p 2023:23 glome)
Once the container is running it is possible to login using netcat or
socat, for example:
$ socat tcp-connect:localhost:2023 file:`tty`,raw,echo=0
Regular SSH client can be used for testing the PAM module:
$ ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -p 2022 root@localhost
Authorization code required for GLOME Login can be obtained by running:
$ docker exec $container /usr/local/bin/glome login --key /usr/local/etc/glome/private.key https://glome.example.com/v1/...