2014-12-01 15:04:11 +01:00
== Yubico PAM module
2018-05-02 15:32:10 +02:00
image:https://travis-ci.org/Yubico/yubico-pam.svg?branch=master["Build Status", link="https://travis-ci.org/Yubico/yubico-pam"]
2008-01-11 13:41:21 +01:00
2018-05-03 10:59:44 +02:00
The Yubico PAM module provides an easy way to integrate the YubiKey
2008-01-11 13:41:21 +01:00
into your existing user authentication infrastructure. PAM is used by
GNU/Linux, Solaris and Mac OS X for user authentication, and by other
2014-10-29 14:46:11 +01:00
specialized applications such as NCSA MyProxy.
2008-01-11 13:41:21 +01:00
2011-02-16 22:20:38 +01:00
Status and Roadmap
------------------
2008-01-11 13:41:21 +01:00
2011-04-13 15:47:36 +02:00
The module is working for multi-user systems. The primary mode of
operation is by doing online validation using a YubiKey validation
service (such as the YubiCloud, or a private one configured using
2014-04-30 13:39:49 +02:00
the 'urllist' parameter).
2011-04-13 15:47:36 +02:00
In version 2.6, offline validation was also made possible through
the use of HMAC-SHA1 Challenge-Response found in YubiKey 2.2 and
2011-12-12 19:28:37 +01:00
later. This has introduced a dependency of libykpers-1 from the
2014-10-29 16:04:11 +01:00
ykpersonalize package. Pass `--without-cr` to `configure` to avoid
2011-12-12 19:28:37 +01:00
this dependency.
2008-01-11 13:41:21 +01:00
2014-11-20 22:40:55 +01:00
The development community is co-ordinated via
2014-10-29 14:46:11 +01:00
https://github.com/Yubico/yubico-pam[the GitHub project page].
2012-10-04 08:38:28 +02:00
2012-01-23 20:25:06 +01:00
The project is licensed under a BSD license. See the file COPYING for
exact wording. For any copyright year range specified as YYYY-ZZZZ in
this package note that the range specifies every single year in that
closed interval.
2008-01-11 13:52:40 +01:00
2011-02-16 22:20:38 +01:00
Building from Git
-----------------
2008-01-11 13:41:21 +01:00
Skip to the next section if you are using an official packaged
version.
2011-02-16 22:20:38 +01:00
You may check out the sources using Git with the following command:
2008-01-11 13:52:40 +01:00
2011-02-16 22:20:38 +01:00
------
2015-03-13 21:16:57 +01:00
$ git clone https://github.com/Yubico/yubico-pam.git
2011-02-16 22:20:38 +01:00
------
2008-01-11 13:52:40 +01:00
2014-10-29 14:46:11 +01:00
This will create the directory `yubico-pam`.
2008-01-11 13:52:40 +01:00
2014-06-11 16:15:11 +02:00
Autoconf, automake, asciidoc and libtool must be installed to create a
compilable source tree.
2008-01-11 13:41:21 +01:00
Generate the build system using:
2011-02-16 22:20:38 +01:00
------
2014-10-29 16:04:11 +01:00
$ cd yubico-pam
$ autoreconf --install
2011-02-16 22:20:38 +01:00
------
2008-01-11 13:41:21 +01:00
2014-12-01 15:04:11 +01:00
=== Building
2008-06-25 15:49:31 +02:00
2014-12-01 15:04:11 +01:00
You will need to have https://developers.yubico.com/yubico-c-client[libykclient]
2015-03-17 09:32:50 +01:00
(ykclient.h, libykclient.so) and libpam-dev (security/pam_appl.h, libpam.so)
2014-12-01 15:04:11 +01:00
installed. It in turn requires cURL, which you need to have installed, and
2014-10-29 14:46:11 +01:00
https://developers.yubico.com/yubico-c[libyubikey].
2009-03-24 19:33:28 +01:00
2015-01-20 09:19:53 +01:00
The Challenge-Response offline authentication requires libykpers-1
2014-10-29 14:46:11 +01:00
from the
2014-12-01 15:04:11 +01:00
https://developers.yubico.com/yubikey-personalization[yubikey-personalization]
project:
2011-04-13 23:17:27 +02:00
2015-01-20 09:19:53 +01:00
The selftests require perl with the module Net::LDAP::Server installed.
2008-01-11 13:41:21 +01:00
The build system uses Autoconf, to set up the build system run:
2014-12-01 15:04:11 +01:00
./configure
2009-03-24 19:32:58 +01:00
Use --without-ldap to disable ldap support.
2008-01-11 13:41:21 +01:00
Then build the code, run the self-test and install the binaries:
2014-12-01 15:04:11 +01:00
make check install
2011-02-16 22:20:38 +01:00
2014-12-01 15:04:11 +01:00
== Installation
=== Fedora/EPEL
2014-10-31 16:42:03 +01:00
2013-11-26 10:38:06 +01:00
There is already a package in Fedora/EPEL of yubico-pam that can be installed
2014-12-01 15:04:11 +01:00
by using yum:
$ sudo yum install pam_yubico
2008-01-11 13:41:21 +01:00
2014-10-31 16:42:03 +01:00
2014-12-01 15:04:11 +01:00
=== Ubuntu PPA
2011-04-13 15:47:36 +02:00
2012-10-04 08:40:02 +02:00
There is an Ubuntu PPA (Personal Package Archive) for yubico-pam that
2011-04-13 15:47:36 +02:00
can be installed using the following commands on reasonably modern
Ubuntu platforms :
2012-11-13 14:51:15 +01:00
$ sudo add-apt-repository ppa:yubico/stable
2011-04-13 15:47:36 +02:00
$ sudo apt-get update
2011-12-14 13:11:12 +01:00
$ sudo apt-get install libpam-yubico
2011-04-13 15:47:36 +02:00
2014-12-01 15:04:11 +01:00
See the file `/usr/share/doc/libpam-yubico/README.Debian` after installing.
=== FreeBSD ports
2011-04-13 15:47:36 +02:00
2013-12-01 00:24:02 +01:00
yubico-pam and the supporting Yubico packages have corresponding FreeBSD ports. To install:
$ cd /usr/ports/security/pam_yubico
$ make install clean
2014-10-29 15:29:10 +01:00
Advanced configuration notes are available http://mjslabs.com/yubihow.html[here].
2013-12-01 00:24:02 +01:00
2011-04-13 15:47:36 +02:00
2011-02-16 22:20:38 +01:00
Configuration
-------------
2008-01-11 13:41:21 +01:00
Install it in your PAM setup by adding a line to an appropriate file
2014-10-29 14:46:11 +01:00
in `/etc/pam.d/`:
2008-01-11 13:41:21 +01:00
2014-10-31 16:42:03 +01:00
----
2015-03-06 20:05:52 +01:00
auth sufficient pam_yubico.so id=[Your API Client ID] debug
2014-10-31 16:42:03 +01:00
----
2008-01-11 13:41:21 +01:00
2011-04-11 15:53:02 +02:00
and move pam_yubico.so into /lib/security/ (or wherever PAM modules
live in your system) :
2008-01-11 13:41:21 +01:00
2014-10-31 16:42:03 +01:00
----
mv /usr/local/lib/security/pam_yubico.so /lib/security/
----
2008-01-11 13:41:21 +01:00
2015-10-05 10:07:56 +02:00
For more information, see the project documentation.
2009-01-13 15:11:09 +01:00
2008-01-11 13:41:21 +01:00
Supported PAM module parameters are:
2014-12-01 15:04:11 +01:00
[horizontal]
2014-10-29 14:55:40 +01:00
authfile::
To indicate the location of the file that holds the
2018-05-03 10:59:44 +02:00
mappings of YubiKey token IDs to user names.
2009-05-11 12:05:20 +02:00
2015-03-06 20:05:52 +01:00
id::
Your API Client ID in the Yubico validation server.
2015-03-06 20:07:19 +01:00
If you want to use the default YubiCloud service,
2015-03-06 20:05:52 +01:00
go https://upgrade.yubico.com/getapikey[here].
2011-04-11 15:53:02 +02:00
2014-10-29 14:55:40 +01:00
key::
To indicate your client key in base64 format.
The client key is also known as API key, and provides
integrity in the communication between the client (you)
and the validation server.
If you want to get one for use with the default YubiCloud
service, go https://upgrade.yubico.com/getapikey[here].
2009-05-11 12:05:20 +02:00
2016-06-16 12:35:30 +02:00
debug:: to enable debug output.
2016-06-22 10:19:31 +02:00
debug_file:: filename to write debug to, file must exist and
be a regular file. stdout is default.
2009-05-11 12:05:20 +02:00
2014-11-20 22:40:55 +01:00
alwaysok::
2014-10-29 14:55:40 +01:00
to enable all authentication attempts to succeed
(aka presentation mode).
2009-03-24 12:13:57 +01:00
2014-10-29 14:55:40 +01:00
try_first_pass::
Before prompting the user for their password, the module
first tries the previous stacked module´ s password in case
that satisfies this module as well.
2009-03-24 12:13:57 +01:00
2014-10-29 14:55:40 +01:00
use_first_pass::
The argument use_first_pass forces the module to use a previous
stacked modules password and will never prompt the user - if no
password is available or the password is not appropriate, the user
will be denied access.
2009-03-24 12:13:57 +01:00
2017-02-26 17:53:46 +01:00
nullok::
If set, don't fail when there are no tokens declared for the user
in the authorization mapping files or in LDAP.
This can be used to make YubiKey authentication optional unless
the user has associated tokens.
2014-10-29 14:55:40 +01:00
urllist::
List of URL templates to be used. This is set by calling
ykclient_set_url_bases. The list should be in the format :
`https://server/wsapi/2.0/verify;https://server/wsapi/2.0/verify`
2014-04-30 13:39:49 +02:00
2014-10-29 14:55:40 +01:00
url::
2014-10-29 14:58:32 +01:00
This option should not be used, please use the urllist
option instead.
Specify the URL template to use, this is set by calling
yubikey_client_set_url_template, which defaults to:
`https://api.yubico.com/wsapi/verify?id=%d&otp=%s`
or
`https://api.yubico.com/wsapi/2.0/verify?id=%d&otp=%s`
depending on your version of yubico-c-client.
2011-04-11 15:53:02 +02:00
2014-10-29 14:55:40 +01:00
capath::
specify the path where X509 certificates are stored. This is
required if 'https' or 'ldaps' are used in 'url' and 'ldap_uri'
respectively.
2011-04-11 15:53:02 +02:00
2018-05-02 13:48:30 +02:00
cainfo::
Option to allow usage of a CA bundle instead of path.
2015-11-12 22:02:49 +01:00
proxy::
specify a proxy to connect to the validation server. Valid schemes are
2017-08-07 12:39:58 +02:00
http://, https://, socks4://, socks4a://, socks5:// or socks5h://.
Socks5h asks the proxy to do the dns resolving. If no scheme or port is
specified HTTP proxy port 1080 will be used.
2015-11-12 22:02:49 +01:00
2014-10-29 14:55:40 +01:00
verbose_otp::
2014-12-01 15:04:11 +01:00
This argument is used to show the OTP (One-Time Password) when it
2014-10-29 14:57:34 +01:00
is entered, i.e. to enable terminal echo of entered characters.
You are advised to not use this, if you are using two factor
authentication because that will display your password on the
screen.
This requires the service using the PAM module to
2016-03-29 11:09:58 +02:00
display custom fields. This option can not be used with OpenSSH.
2010-09-09 22:31:44 +02:00
2014-10-29 14:55:40 +01:00
ldap_uri:: specify the LDAP server URI (e.g. ldap://localhost).
2010-04-14 11:48:25 +02:00
2014-10-29 14:55:40 +01:00
ldapserver::
specify the LDAP server host (default LDAP port is used).
_Deprecated. Use "ldap_uri" instead._
2010-04-14 10:17:43 +02:00
2014-10-29 14:55:40 +01:00
ldapdn::
specify the dn where the users are stored
(eg: ou=users,dc=domain,dc=com).
2010-04-14 10:17:43 +02:00
2018-05-02 14:01:17 +02:00
ldap_bind_user::
The user to attempt a LDAP bind as.
ldap_bind_password::
The password to use on LDAP bind.
ldap_filter::
An LDAP filter to use for attempting to find the correct object in LDAP. In this string `%u` will be replaced with the username.
ldap_cacertfile::
CA certifcate file for the LDAP connection.
2014-10-29 14:55:40 +01:00
user_attr:: specify the LDAP attribute used to store user names (eg:cn).
2009-05-11 12:05:20 +02:00
2018-05-03 10:59:44 +02:00
yubi_attr:: specify the LDAP attribute used to store the YubiKey ID.
2009-05-11 12:05:20 +02:00
2014-10-29 14:55:40 +01:00
yubi_attr_prefix::
specify the prefix of the LDAP attribute's value, in case
of a generic attribute, used to store several types of IDs.
2011-02-16 22:20:38 +01:00
2014-10-29 14:55:40 +01:00
token_id_length::
Length of ID prefixing the OTP (this is 12 if using the
YubiCloud).
2012-02-01 09:29:27 +01:00
2014-10-29 14:55:40 +01:00
mode::
Mode of operation. Use "client" for online validation with
a YubiKey validation service such as the YubiCloud, or use
"challenge-response" for offline validation using YubiKeys
with HMAC-SHA-1 Challenge-Response configurations. See the
man-page ykpamcfg(1) for further details on how to configure
offline Challenge-Response validation.
2011-12-12 19:28:37 +01:00
2018-05-02 13:35:21 +02:00
chalresp_path::
Directory that is used to store the challenge files in case of a system-wide
configuration (in contrast to challenge files being stored in a user's home
directory). This location should be only readable and writable by root. Refer
to `Authentication_Using_Challenge-Response.adoc` for more information about
such a setup.
2008-01-11 13:41:21 +01:00
If you are using "debug" you may find it useful to create a
world-writable log file:
2014-12-01 15:04:11 +01:00
[source, sh]
----
2014-10-29 15:29:10 +01:00
touch /var/run/pam-debug.log
chmod go+w /var/run/pam-debug.log
2014-12-01 15:04:11 +01:00
----
2011-02-16 22:20:38 +01:00
2008-01-11 13:41:21 +01:00
2011-02-16 22:20:38 +01:00
Authorization Mapping Files
---------------------------
2014-12-01 15:04:11 +01:00
A mapping must be made between the YubiKey token ID and the user ID it is
2010-05-20 21:11:33 +02:00
attached to. There are two ways to do this, either centrally in one file, or
2010-04-13 22:01:22 +02:00
individually, where users can create the mapping in their home directories.
2010-04-14 10:04:57 +02:00
If the central authorization mapping file is being used, user home directory
mappings will not be used and the opposite applies if user home directory
mappings are being used, the central authorization mappings file will not
be used.
2010-04-13 22:01:22 +02:00
2014-12-01 15:04:11 +01:00
=== Central authorization mapping
2014-10-29 14:55:40 +01:00
Create a `/etc/yubikey_mappings`, the file must contain a user name and the
2018-05-03 10:59:44 +02:00
YubiKey token ID separated by colons (same format as the passwd file) for
each user you want to allow onto the system using a YubiKey.
2010-04-13 22:01:22 +02:00
The mappings should look like this, one per line:
2010-05-20 21:11:33 +02:00
2018-05-03 10:59:44 +02:00
<first user name>:<YubiKey token ID1>:<YubiKey token ID2>:….
<second user name>:<YubiKey token ID3>:<YubiKey token ID4>:….
2010-04-13 22:01:22 +02:00
2014-12-01 15:04:11 +01:00
Now add `authfile=/etc/yubikey_mappings` to your PAM configuration line, so it
2010-04-13 22:01:22 +02:00
looks like:
2015-03-06 20:05:52 +01:00
auth sufficient pam_yubico.so id=[Your API Client ID] authfile=/etc/yubikey_mappings
2010-04-13 22:01:22 +02:00
2014-12-01 15:04:11 +01:00
=== Individual authorization mapping by user
Each user creates a `~/.yubico/authorized_yubikeys` file inside of their home
2010-04-13 22:01:22 +02:00
directory and places the mapping in that file, the file must have only one
line:
2014-10-29 14:57:34 +01:00
2018-05-03 10:59:44 +02:00
<user name>:<YubiKey token ID1>:<YubiKey token ID2>
2014-10-29 14:57:34 +01:00
2010-04-13 22:01:22 +02:00
This is much the same concept as the SSH authorized_keys file.
2011-02-16 22:20:38 +01:00
2018-05-03 10:59:44 +02:00
Obtaining the YubiKey token ID (a.k.a. public ID)
2011-04-11 15:53:02 +02:00
-------------------------------------------------
2010-05-20 21:11:33 +02:00
2018-05-03 10:59:44 +02:00
You can obtain the YubiKey token ID in several ways. One is by
2013-10-06 19:09:38 +02:00
removing the last 32 characters of any OTP (One Time Password)
2018-05-03 10:59:44 +02:00
generated with your YubiKey. Another is by using the
2014-10-29 14:55:40 +01:00
http://demo.yubico.com/php-yubico/Modhex_Calculator.php[modhex calculator].
2010-05-20 21:11:33 +02:00
2018-05-03 10:59:44 +02:00
Enter your YubiKey OTP and convert it, your YubiKey token ID is 12
2013-10-06 19:09:38 +02:00
characters and listed as:
2011-02-16 22:20:38 +01:00
2013-10-06 19:09:38 +02:00
Modhex encoded: XXXXXXX
2012-10-03 04:24:30 +02:00
2012-10-03 04:28:30 +02:00
Not sure what that last bit meant? Here is how to get a copy of your OTP.
2014-12-01 15:04:11 +01:00
=== Fast way
. Open a terminal
. Press the YubiKey's button
It will output an OTP into the shell:
+
[source, sh]
2012-10-03 04:28:30 +02:00
------
2014-10-29 15:10:14 +01:00
$ cccccccgklgcvnkcvnnegrnhgrjkhlkfhdkclfncvlgj
bash: cccccccgklgcvnkcvnnegrnhgrjkhlkfhdkclfncvlgj: command not found
2012-10-03 04:28:30 +02:00
------
2014-12-01 15:04:11 +01:00
+
2012-10-03 04:28:30 +02:00
This can be pasted into the Modhex_Calculator page.
2014-12-01 15:04:11 +01:00
=== Harder way
2012-10-03 04:28:30 +02:00
This requires you to have the pam module enabled with 'debug' turned on. When
2014-12-01 15:04:11 +01:00
prompted for the YubiKey press the button. The pam module will print out debug
information including the OTP and ID of your token to the shell -- copy the ID
2012-10-03 04:28:30 +02:00
into your config file and you should be up and going.
------
2018-05-03 10:59:44 +02:00
YubiKey for `youruser':
2014-10-29 15:29:10 +01:00
[pam_yubico.c:pam_sm_authenticate(867)] conv returned 44 bytes
[pam_yubico.c:pam_sm_authenticate(885)] Skipping first 0 bytes. Length is 44, token_id set to 12 and token OTP always 32.
2014-11-20 22:40:55 +01:00
[pam_yubico.c:pam_sm_authenticate(892)] OTP: ccccccclabcabkhbdncicglfltnukadfoifadfhhhhfe ID: cccccclabcab
2012-10-03 04:28:30 +02:00
------
2012-10-03 04:16:06 +02:00
Yubico PAM module and SELinux.
------------------------------
Users with SELinux in enforcing mode (the default on Fedora 17+) may experience
login problems with services including those validated via
polkit-agent-helper-1, sshd and login.
2014-10-29 15:10:14 +01:00
This is https://bugzilla.redhat.com/show_bug.cgi?id=841693#c3[documented in Red Hat bugzilla]
including a work around for ssh (Equivalent files could be created for
2012-10-03 04:16:06 +02:00
other services). Systems in 'permissive' mode will generate AVC warnings but
authentication will succeed.
2014-10-31 16:42:03 +01:00
To determine if you have SELinux enforcing or not run the `sestatus` command.
2012-10-03 04:16:06 +02:00
2011-02-16 22:20:38 +01:00
Examples
--------
2008-06-25 15:49:31 +02:00
2014-12-01 15:04:11 +01:00
If you want to use the YubiKey to authenticate you on Linux console
2014-10-29 14:55:40 +01:00
logins, add the following to the top of `/etc/pam.d/login`:
2008-01-11 13:41:21 +01:00
2015-03-06 20:05:52 +01:00
auth sufficient pam_yubico.so id=[Your API Client ID] debug
2014-10-29 13:25:29 +01:00
OpenVPN and ActiveDirectory
2014-11-20 22:40:55 +01:00
---------------------------
2017-12-14 17:06:19 +01:00
See Michael Ludvig's sample Active Directory schema extensions for YubiKey public ID attribute storage / association with a particular user account: https://github.com/mludvig/yubikey-ldap/tree/master/microsoft-schema
2014-10-29 13:25:29 +01:00
create file '/etc/pam.d/openvpn':
2015-03-04 13:08:30 +01:00
2018-05-03 10:59:44 +02:00
auth required pam_yubico.so ldap_uri=ldap://contoso.com debug id=[Your API ID] yubi_attr=YubiKeyID
2017-12-14 17:04:48 +01:00
ldapdn=DC=contoso,DC=com
ldap_filter=(&(sAMAccountName=%u)(objectClass=user)(memberOf=CN=somegroup,DC=contoso,DC=com))
2017-12-14 18:51:20 +01:00
[ldap_bind_user=CN=binduser,OU=Service Accounts,DC=contoso,DC=com] ldap_bind_password=bind_password try_first_pass
2015-03-04 13:08:30 +01:00
account required pam_yubico.so
2014-10-29 13:25:29 +01:00
create file 'openvpn.conf'
2015-03-04 13:08:30 +01:00
plugin openvpn-plugin-auth-pam.so openvpn