It is possible to configure the QCG-Computing service to authenticate users using usernames and passwords provided by local security context:
<sm:Module xsi:type="sm:ecm_gsoap.service"> <sm:Host>qcg.example.com</sm:Host> <sm:Port>19003</sm:Port> <sm:Authentication> <sm:Module xsi:type="sm:atc_transport_ssl.service"> <sm:ServiceAuthentication> <sm:X509CertKeyFile>/opt/qcg/etc/qcg-comp/certs/qcgcertkey.pem</sm:X509CertKeyFile> </sm:ServiceAuthentication> </sm:Module> <sm:Module xsi:type="sm:atc_msg_wsse_username.service"> <sm:UserdirModule> <sm:Module xsi:type="sm:userdir_pam"/> </sm:UserdirModule> </sm:Module> </sm:Authentication> <sm:Authorization> <sm:Module xsi:type="sm:atz_username"/> </sm:Authorization> </sm:Module>
Please note:
- qcgcertkey.pem must contain both service key and certificate,
- the <UnprivilegedUser> user used to run the service must be authorized to use the pam_authenticate method (e.g. in case of flat passwd files, the group of the user must have read permission for the /etc/shadow file)
- you must provide proper pam configuration for qcg-compd daemon
# cat /etc/pam.d/qcg-compd #%PAM-1.0 auth include system-auth account include system-auth