2011-02-16 22:20:38 +01:00
|
|
|
|
Yubico PAM module
|
|
|
|
|
-----------------
|
2008-01-11 13:41:21 +01:00
|
|
|
|
|
|
|
|
|
The Yubico PAM module provides an easy way to integrate the Yubikey
|
|
|
|
|
into your existing user authentication infrastructure. PAM is used by
|
|
|
|
|
GNU/Linux, Solaris and Mac OS X for user authentication, and by other
|
2008-05-03 10:31:19 +02:00
|
|
|
|
specialized applications such as NCSA !MyProxy.
|
2008-01-11 13:41:21 +01:00
|
|
|
|
|
2011-02-16 22:20:38 +01:00
|
|
|
|
|
|
|
|
|
Status and Roadmap
|
|
|
|
|
------------------
|
2008-01-11 13:41:21 +01:00
|
|
|
|
|
2011-04-13 15:47:36 +02:00
|
|
|
|
The module is working for multi-user systems. The primary mode of
|
|
|
|
|
operation is by doing online validation using a YubiKey validation
|
|
|
|
|
service (such as the YubiCloud, or a private one configured using
|
|
|
|
|
the 'url' parameter).
|
|
|
|
|
|
|
|
|
|
In version 2.6, offline validation was also made possible through
|
|
|
|
|
the use of HMAC-SHA1 Challenge-Response found in YubiKey 2.2 and
|
|
|
|
|
later. This has introduced a currently mandatory dependency of
|
|
|
|
|
libykpers-1 from the ykpersonalize package.
|
2008-01-11 13:41:21 +01:00
|
|
|
|
|
2011-02-16 22:20:38 +01:00
|
|
|
|
The development community is co-ordinated via Google Code :
|
2008-01-11 13:52:40 +01:00
|
|
|
|
|
2011-02-16 22:20:38 +01:00
|
|
|
|
http://code.google.com/p/yubico-pam/
|
2008-01-11 13:52:40 +01:00
|
|
|
|
|
2009-01-13 15:08:21 +01:00
|
|
|
|
The license for pam_yubico is the 2-clause BSD license, which is
|
|
|
|
|
compatible with the Linux-PAM BSD/GPL license. See the file COPYING
|
2008-01-11 13:52:40 +01:00
|
|
|
|
for more information.
|
|
|
|
|
|
2011-02-16 22:20:38 +01:00
|
|
|
|
|
|
|
|
|
Building from Git
|
|
|
|
|
-----------------
|
2008-01-11 13:41:21 +01:00
|
|
|
|
|
|
|
|
|
Skip to the next section if you are using an official packaged
|
|
|
|
|
version.
|
|
|
|
|
|
2011-02-16 22:20:38 +01:00
|
|
|
|
You may check out the sources using Git with the following command:
|
2008-01-11 13:52:40 +01:00
|
|
|
|
|
2011-02-16 22:20:38 +01:00
|
|
|
|
------
|
|
|
|
|
$ git clone git://github.com/Yubico/yubico-pam.git yubico-pam
|
|
|
|
|
------
|
2008-01-11 13:52:40 +01:00
|
|
|
|
|
2011-02-16 22:20:38 +01:00
|
|
|
|
This will create a directory 'yubico-pam'.
|
2008-01-11 13:52:40 +01:00
|
|
|
|
|
2011-02-16 22:20:38 +01:00
|
|
|
|
Autoconf, automake and libtool must be installed to create a compilable
|
|
|
|
|
source tree.
|
2008-01-11 13:41:21 +01:00
|
|
|
|
|
|
|
|
|
Generate the build system using:
|
|
|
|
|
|
2011-02-16 22:20:38 +01:00
|
|
|
|
------
|
|
|
|
|
$ cd yubico-pam
|
|
|
|
|
$ autoreconf --install
|
|
|
|
|
------
|
|
|
|
|
|
2008-01-11 13:41:21 +01:00
|
|
|
|
|
2011-02-16 22:20:38 +01:00
|
|
|
|
Building
|
|
|
|
|
--------
|
2008-01-11 13:41:21 +01:00
|
|
|
|
|
2009-03-25 11:15:13 +01:00
|
|
|
|
You will need to have libykclient (ykclient.h, libykclient.so) and
|
|
|
|
|
libpam-dev (security/pam_appl.h, libpam.so) installed. Get the
|
|
|
|
|
ykclient library from:
|
2008-06-25 15:49:31 +02:00
|
|
|
|
|
2011-04-13 15:47:36 +02:00
|
|
|
|
http://code.google.com/p/yubico-c-client/
|
2008-01-11 13:41:21 +01:00
|
|
|
|
|
2011-04-13 23:17:27 +02:00
|
|
|
|
It in turn requires Curl, which you need to have installed, and
|
|
|
|
|
libyubikey. Get libyubikey from
|
|
|
|
|
|
|
|
|
|
http://code.google.com/p/yubico-c/
|
2009-03-24 19:33:28 +01:00
|
|
|
|
|
2011-04-13 15:47:36 +02:00
|
|
|
|
The new Challenge-Response offline authentication requires libykpers-1
|
|
|
|
|
from the yubikey-personalization project :
|
|
|
|
|
|
|
|
|
|
http://code.google.com/p/yubikey-personalization/
|
|
|
|
|
|
2011-04-13 23:17:27 +02:00
|
|
|
|
|
2008-01-11 13:41:21 +01:00
|
|
|
|
The build system uses Autoconf, to set up the build system run:
|
|
|
|
|
|
2011-02-16 22:20:38 +01:00
|
|
|
|
------
|
2008-01-11 13:41:21 +01:00
|
|
|
|
./configure
|
2011-02-16 22:20:38 +01:00
|
|
|
|
------
|
2009-03-24 19:32:58 +01:00
|
|
|
|
|
|
|
|
|
Use --without-ldap to disable ldap support.
|
2008-01-11 13:41:21 +01:00
|
|
|
|
|
|
|
|
|
Then build the code, run the self-test and install the binaries:
|
|
|
|
|
|
2011-02-16 22:20:38 +01:00
|
|
|
|
------
|
2008-01-11 13:41:21 +01:00
|
|
|
|
make check install
|
2011-02-16 22:20:38 +01:00
|
|
|
|
------
|
|
|
|
|
|
2008-01-11 13:41:21 +01:00
|
|
|
|
|
2011-04-13 15:47:36 +02:00
|
|
|
|
Ubuntu PPA
|
|
|
|
|
----------
|
|
|
|
|
|
|
|
|
|
There is an Ubuntu PPA (Private Package Archive) for yubico-pam that
|
|
|
|
|
can be installed using the following commands on reasonably modern
|
|
|
|
|
Ubuntu platforms :
|
|
|
|
|
|
|
|
|
|
$ sudo add-apt-repository ppa:fredrikt/yubico-pam
|
|
|
|
|
$ sudo apt-get update
|
|
|
|
|
$ sudo apt-get install yubico-pam
|
|
|
|
|
|
|
|
|
|
You will have to configure pam_yubico manually in /etc/pam.d/common-auth
|
|
|
|
|
manually after installing.
|
|
|
|
|
|
|
|
|
|
|
2011-02-16 22:20:38 +01:00
|
|
|
|
Configuration
|
|
|
|
|
-------------
|
2008-01-11 13:41:21 +01:00
|
|
|
|
|
|
|
|
|
Install it in your PAM setup by adding a line to an appropriate file
|
|
|
|
|
in /etc/pam.d/:
|
|
|
|
|
|
2011-02-16 22:20:38 +01:00
|
|
|
|
------
|
2008-01-11 13:41:21 +01:00
|
|
|
|
auth sufficient pam_yubico.so id=16 debug
|
2011-02-16 22:20:38 +01:00
|
|
|
|
------
|
2008-01-11 13:41:21 +01:00
|
|
|
|
|
2011-04-11 15:53:02 +02:00
|
|
|
|
and move pam_yubico.so into /lib/security/ (or wherever PAM modules
|
|
|
|
|
live in your system) :
|
2008-01-11 13:41:21 +01:00
|
|
|
|
|
2011-02-16 22:20:38 +01:00
|
|
|
|
------
|
2008-05-02 11:24:53 +02:00
|
|
|
|
mv /usr/local/lib/security/pam_yubico.so /lib/security/
|
2011-02-16 22:20:38 +01:00
|
|
|
|
------
|
2008-01-11 13:41:21 +01:00
|
|
|
|
|
2009-01-13 15:11:09 +01:00
|
|
|
|
For more information, see the project Wiki page.
|
|
|
|
|
|
2008-01-11 13:41:21 +01:00
|
|
|
|
Supported PAM module parameters are:
|
|
|
|
|
|
2011-02-16 22:20:38 +01:00
|
|
|
|
------
|
2010-04-13 19:40:32 +02:00
|
|
|
|
"authfile": to indicate the location of the file that holds the
|
2011-04-11 15:53:02 +02:00
|
|
|
|
mappings of Yubikey token IDs to user names.
|
2010-04-13 19:40:32 +02:00
|
|
|
|
|
2009-05-11 12:05:20 +02:00
|
|
|
|
"id": to indicate your client identity.
|
|
|
|
|
|
|
|
|
|
"key": to indicate your client key in base64 format.
|
2011-04-11 15:53:02 +02:00
|
|
|
|
The client key is also known as API key, and provides
|
|
|
|
|
integrity in the communication between the client (you)
|
|
|
|
|
and the validation server.
|
|
|
|
|
If you want to get one for use with the default YubiCloud
|
|
|
|
|
service, visit this URL :
|
|
|
|
|
|
|
|
|
|
https://upgrade.yubico.com/getapikey/
|
2009-05-11 12:05:20 +02:00
|
|
|
|
|
|
|
|
|
"debug": to enable debug output to stdout.
|
|
|
|
|
|
2010-04-13 22:01:22 +02:00
|
|
|
|
"alwaysok": to enable all authentication attempts to succeed
|
2009-02-11 17:35:29 +01:00
|
|
|
|
(aka presentation mode).
|
2009-03-24 12:13:57 +01:00
|
|
|
|
|
|
|
|
|
"try_first_pass":
|
2011-02-16 22:20:38 +01:00
|
|
|
|
Before prompting the user for their password, the module
|
|
|
|
|
first tries the previous stacked module´s password in case
|
|
|
|
|
that satisfies this module as well.
|
2009-03-24 12:13:57 +01:00
|
|
|
|
|
|
|
|
|
"use_first_pass":
|
2011-02-16 22:20:38 +01:00
|
|
|
|
The argument use_first_pass forces the module to use a previous
|
|
|
|
|
stacked modules password and will never prompt the user - if no
|
|
|
|
|
password is available or the password is not appropriate, the user
|
|
|
|
|
will be denied access.
|
2009-03-24 12:13:57 +01:00
|
|
|
|
|
2009-02-11 17:35:29 +01:00
|
|
|
|
"url": specify the URL template to use, this is set by calling
|
2010-04-13 22:01:22 +02:00
|
|
|
|
yubikey_client_set_url_template, which defaults to:
|
2011-04-11 15:53:02 +02:00
|
|
|
|
|
2010-04-13 22:01:22 +02:00
|
|
|
|
http://api.yubico.com/wsapi/verify?id=%d&otp=%s
|
2009-05-11 12:05:20 +02:00
|
|
|
|
|
2011-04-11 15:53:02 +02:00
|
|
|
|
or
|
|
|
|
|
|
|
|
|
|
http://api.yubico.com/wsapi/2.0/verify?id=%d&otp=%s
|
|
|
|
|
|
|
|
|
|
depending on your version of yubico-c-client.
|
|
|
|
|
|
2010-04-14 11:48:25 +02:00
|
|
|
|
"verbose_otp":
|
2010-09-09 22:31:44 +02:00
|
|
|
|
This argument is used to show the OTP when it is entered,
|
|
|
|
|
i.e. to enable terminal echo of entered characters.
|
2010-04-14 11:48:25 +02:00
|
|
|
|
You are advised to not use this, if you are using two factor
|
2010-09-09 22:31:44 +02:00
|
|
|
|
authentication because that will display your password on the
|
|
|
|
|
screen.
|
|
|
|
|
|
|
|
|
|
This requires the service using the PAM module to
|
|
|
|
|
display custom fields. For example, OpenSSH requires
|
|
|
|
|
you to configure "ChallengeResponseAuthentication no".
|
2010-04-14 11:48:25 +02:00
|
|
|
|
|
2011-02-16 22:20:38 +01:00
|
|
|
|
"ldap_uri": specify the LDAP server URI (e.g. ldap://localhost).
|
2009-05-11 12:05:20 +02:00
|
|
|
|
|
2010-04-14 10:17:43 +02:00
|
|
|
|
|
2010-05-20 21:11:33 +02:00
|
|
|
|
"ldapserver": specify the LDAP server host (default LDAP port is used).
|
2011-02-16 22:20:38 +01:00
|
|
|
|
_Deprecated. Use "ldap_uri" instead._
|
2010-04-14 10:17:43 +02:00
|
|
|
|
|
2009-05-11 12:05:20 +02:00
|
|
|
|
"ldapdn": specify the dn where the users are stored
|
|
|
|
|
(eg: ou=users,dc=domain,dc=com).
|
|
|
|
|
|
2010-04-13 22:01:22 +02:00
|
|
|
|
"user_attr": specify the LDAP attribute used to store user names (eg:cn).
|
2009-05-11 12:05:20 +02:00
|
|
|
|
|
2011-04-11 15:53:02 +02:00
|
|
|
|
"yubi_attr": specify the LDAP attribute used to store the Yubikey id.
|
2011-02-16 22:20:38 +01:00
|
|
|
|
|
|
|
|
|
"capath": Path to a directory with SSL CA certs you trust.
|
|
|
|
|
------
|
2008-01-11 13:41:21 +01:00
|
|
|
|
|
|
|
|
|
If you are using "debug" you may find it useful to create a
|
|
|
|
|
world-writable log file:
|
|
|
|
|
|
2011-02-16 22:20:38 +01:00
|
|
|
|
------
|
2011-04-11 15:53:02 +02:00
|
|
|
|
touch /var/run/pam-debug.log
|
|
|
|
|
chmod go+w /var/run/pam-debug.log
|
2011-02-16 22:20:38 +01:00
|
|
|
|
------
|
|
|
|
|
|
2008-01-11 13:41:21 +01:00
|
|
|
|
|
2011-02-16 22:20:38 +01:00
|
|
|
|
Authorization Mapping Files
|
|
|
|
|
---------------------------
|
2011-04-11 15:53:02 +02:00
|
|
|
|
A mapping must be made between the Yubikey token ID and the user ID it is
|
2010-05-20 21:11:33 +02:00
|
|
|
|
attached to. There are two ways to do this, either centrally in one file, or
|
2010-04-13 22:01:22 +02:00
|
|
|
|
individually, where users can create the mapping in their home directories.
|
2010-04-14 10:04:57 +02:00
|
|
|
|
If the central authorization mapping file is being used, user home directory
|
|
|
|
|
mappings will not be used and the opposite applies if user home directory
|
|
|
|
|
mappings are being used, the central authorization mappings file will not
|
|
|
|
|
be used.
|
2010-04-13 22:01:22 +02:00
|
|
|
|
|
2011-02-16 22:20:38 +01:00
|
|
|
|
Central authorization mapping
|
|
|
|
|
-----------------------------
|
2010-04-13 22:01:22 +02:00
|
|
|
|
|
|
|
|
|
Create a /etc/yubikey_mappings, the file must contain a user name and the
|
2011-04-11 15:53:02 +02:00
|
|
|
|
Yubikey token ID separated by colons (same format as the passwd file) for
|
|
|
|
|
each user you want to allow onto the system using a Yubikey.
|
2010-04-13 22:01:22 +02:00
|
|
|
|
|
|
|
|
|
The mappings should look like this, one per line:
|
2010-05-20 21:11:33 +02:00
|
|
|
|
|
2011-02-16 22:20:38 +01:00
|
|
|
|
------
|
2011-04-11 15:53:02 +02:00
|
|
|
|
<user name>:<Yubikey token ID>:<Yubikey token ID>:….
|
|
|
|
|
<user name>:<Yubikey token ID>:<Yubikey token ID>:….
|
2011-02-16 22:20:38 +01:00
|
|
|
|
------
|
2010-04-13 22:01:22 +02:00
|
|
|
|
|
|
|
|
|
Now add authfile=/etc/yubikey_mappings to your PAM configuration line, so it
|
|
|
|
|
looks like:
|
|
|
|
|
|
2011-02-16 22:20:38 +01:00
|
|
|
|
------
|
|
|
|
|
auth sufficient pam_yubico.so id=16 authfile=/etc/yubikey_mappings
|
|
|
|
|
------
|
|
|
|
|
|
2010-04-13 22:01:22 +02:00
|
|
|
|
|
2011-02-16 22:20:38 +01:00
|
|
|
|
Individual authorization mapping by user
|
|
|
|
|
----------------------------------------
|
2010-04-13 22:01:22 +02:00
|
|
|
|
Each user creates a ~/.yubico/authorized_yubikeys file inside of their home
|
|
|
|
|
directory and places the mapping in that file, the file must have only one
|
|
|
|
|
line:
|
|
|
|
|
|
2011-02-16 22:20:38 +01:00
|
|
|
|
------
|
2011-04-11 15:53:02 +02:00
|
|
|
|
<user name>:<Yubikey token ID>:<Yubikey token ID>
|
2011-02-16 22:20:38 +01:00
|
|
|
|
------
|
2010-04-13 22:01:22 +02:00
|
|
|
|
|
|
|
|
|
This is much the same concept as the SSH authorized_keys file.
|
|
|
|
|
|
2011-02-16 22:20:38 +01:00
|
|
|
|
|
2011-04-11 15:53:02 +02:00
|
|
|
|
Obtaining the Yubikey token ID (a.k.a. public ID)
|
|
|
|
|
-------------------------------------------------
|
|
|
|
|
You can obtain the Yubikey token ID in two places. One is by removing the
|
|
|
|
|
last 32 characters of any OTP generated with your Yubikey, the other
|
|
|
|
|
is by using the modhex calculator located here :
|
2010-05-20 21:11:33 +02:00
|
|
|
|
|
|
|
|
|
http://radius.yubico.com/demo/Modhex_Calculator.php
|
|
|
|
|
|
2011-04-11 15:53:02 +02:00
|
|
|
|
Enter your Yubikey OTP and convert it, your Yubikey token ID is 12 digits and listed as:
|
2010-05-20 21:11:33 +02:00
|
|
|
|
|
2011-02-16 22:20:38 +01:00
|
|
|
|
Modhex encoded: XXXXXXX
|
|
|
|
|
|
|
|
|
|
Examples
|
|
|
|
|
--------
|
2008-06-25 15:49:31 +02:00
|
|
|
|
|
|
|
|
|
If you want to use the Yubikey to authenticate you on linux console
|
|
|
|
|
logins, add the following to the top of /etc/pam.d/login:
|
|
|
|
|
|
2011-02-16 22:20:38 +01:00
|
|
|
|
------
|
|
|
|
|
auth sufficient pam_yubico.so id=16 debug
|
|
|
|
|
------
|
|
|
|
|
|
2008-06-25 15:49:31 +02:00
|
|
|
|
|
2011-02-16 22:20:38 +01:00
|
|
|
|
Feedback
|
|
|
|
|
--------
|
2008-01-11 13:41:21 +01:00
|
|
|
|
|
|
|
|
|
If you want to discuss anything related to the Yubico PAM module,
|
2009-01-13 15:11:09 +01:00
|
|
|
|
please contact Simon Josefsson <simon@yubico.com>.
|