2011-02-16 22:20:38 +01:00
|
|
|
|
Yubico PAM module
|
|
|
|
|
-----------------
|
2008-01-11 13:41:21 +01:00
|
|
|
|
|
|
|
|
|
The Yubico PAM module provides an easy way to integrate the Yubikey
|
|
|
|
|
into your existing user authentication infrastructure. PAM is used by
|
|
|
|
|
GNU/Linux, Solaris and Mac OS X for user authentication, and by other
|
2008-05-03 10:31:19 +02:00
|
|
|
|
specialized applications such as NCSA !MyProxy.
|
2008-01-11 13:41:21 +01:00
|
|
|
|
|
2011-02-16 22:20:38 +01:00
|
|
|
|
|
|
|
|
|
Status and Roadmap
|
|
|
|
|
------------------
|
2008-01-11 13:41:21 +01:00
|
|
|
|
|
2011-04-13 15:47:36 +02:00
|
|
|
|
The module is working for multi-user systems. The primary mode of
|
|
|
|
|
operation is by doing online validation using a YubiKey validation
|
|
|
|
|
service (such as the YubiCloud, or a private one configured using
|
2014-04-30 13:39:49 +02:00
|
|
|
|
the 'urllist' parameter).
|
2011-04-13 15:47:36 +02:00
|
|
|
|
|
|
|
|
|
In version 2.6, offline validation was also made possible through
|
|
|
|
|
the use of HMAC-SHA1 Challenge-Response found in YubiKey 2.2 and
|
2011-12-12 19:28:37 +01:00
|
|
|
|
later. This has introduced a dependency of libykpers-1 from the
|
|
|
|
|
ykpersonalize package. Pass `--without-cr' to `configure' to avoid
|
|
|
|
|
this dependency.
|
2008-01-11 13:41:21 +01:00
|
|
|
|
|
2013-09-19 09:19:39 +02:00
|
|
|
|
The development community is co-ordinated via GitHub :
|
2008-01-11 13:52:40 +01:00
|
|
|
|
|
2012-10-04 08:38:28 +02:00
|
|
|
|
https://github.com/Yubico/yubico-pam/
|
|
|
|
|
|
2012-01-23 20:25:06 +01:00
|
|
|
|
The project is licensed under a BSD license. See the file COPYING for
|
|
|
|
|
exact wording. For any copyright year range specified as YYYY-ZZZZ in
|
|
|
|
|
this package note that the range specifies every single year in that
|
|
|
|
|
closed interval.
|
2008-01-11 13:52:40 +01:00
|
|
|
|
|
2011-02-16 22:20:38 +01:00
|
|
|
|
|
|
|
|
|
Building from Git
|
|
|
|
|
-----------------
|
2008-01-11 13:41:21 +01:00
|
|
|
|
|
|
|
|
|
Skip to the next section if you are using an official packaged
|
|
|
|
|
version.
|
|
|
|
|
|
2011-02-16 22:20:38 +01:00
|
|
|
|
You may check out the sources using Git with the following command:
|
2008-01-11 13:52:40 +01:00
|
|
|
|
|
2011-02-16 22:20:38 +01:00
|
|
|
|
------
|
2013-10-06 19:12:18 +02:00
|
|
|
|
$ git clone git@github.com:Yubico/yubico-pam.git yubico-pam
|
2011-02-16 22:20:38 +01:00
|
|
|
|
------
|
2008-01-11 13:52:40 +01:00
|
|
|
|
|
2011-02-16 22:20:38 +01:00
|
|
|
|
This will create a directory 'yubico-pam'.
|
2008-01-11 13:52:40 +01:00
|
|
|
|
|
2011-02-16 22:20:38 +01:00
|
|
|
|
Autoconf, automake and libtool must be installed to create a compilable
|
|
|
|
|
source tree.
|
2008-01-11 13:41:21 +01:00
|
|
|
|
|
|
|
|
|
Generate the build system using:
|
|
|
|
|
|
2011-02-16 22:20:38 +01:00
|
|
|
|
------
|
|
|
|
|
$ cd yubico-pam
|
|
|
|
|
$ autoreconf --install
|
|
|
|
|
------
|
|
|
|
|
|
2008-01-11 13:41:21 +01:00
|
|
|
|
|
2011-02-16 22:20:38 +01:00
|
|
|
|
Building
|
|
|
|
|
--------
|
2008-01-11 13:41:21 +01:00
|
|
|
|
|
2009-03-25 11:15:13 +01:00
|
|
|
|
You will need to have libykclient (ykclient.h, libykclient.so) and
|
|
|
|
|
libpam-dev (security/pam_appl.h, libpam.so) installed. Get the
|
|
|
|
|
ykclient library from:
|
2008-06-25 15:49:31 +02:00
|
|
|
|
|
2014-04-30 10:45:03 +02:00
|
|
|
|
https://developers.yubico.com/yubico-c-client/
|
2008-01-11 13:41:21 +01:00
|
|
|
|
|
2012-06-15 14:52:45 +02:00
|
|
|
|
It in turn requires Curl, which you need to have installed, and
|
|
|
|
|
libyubikey. Get libyubikey from
|
|
|
|
|
|
2014-04-30 10:45:03 +02:00
|
|
|
|
https://developers.yubico.com/yubico-c/
|
2009-03-24 19:33:28 +01:00
|
|
|
|
|
2011-04-13 15:47:36 +02:00
|
|
|
|
The new Challenge-Response offline authentication requires libykpers-1
|
2012-06-15 14:52:45 +02:00
|
|
|
|
from the yubikey-personalization project :
|
2011-04-13 15:47:36 +02:00
|
|
|
|
|
2014-04-30 10:45:03 +02:00
|
|
|
|
https://developers.yubico.com/yubikey-personalization/
|
2011-04-13 15:47:36 +02:00
|
|
|
|
|
2011-04-13 23:17:27 +02:00
|
|
|
|
|
2008-01-11 13:41:21 +01:00
|
|
|
|
The build system uses Autoconf, to set up the build system run:
|
|
|
|
|
|
2011-02-16 22:20:38 +01:00
|
|
|
|
------
|
2008-01-11 13:41:21 +01:00
|
|
|
|
./configure
|
2011-02-16 22:20:38 +01:00
|
|
|
|
------
|
2009-03-24 19:32:58 +01:00
|
|
|
|
|
|
|
|
|
Use --without-ldap to disable ldap support.
|
2008-01-11 13:41:21 +01:00
|
|
|
|
|
|
|
|
|
Then build the code, run the self-test and install the binaries:
|
|
|
|
|
|
2011-02-16 22:20:38 +01:00
|
|
|
|
------
|
2008-01-11 13:41:21 +01:00
|
|
|
|
make check install
|
2011-02-16 22:20:38 +01:00
|
|
|
|
------
|
|
|
|
|
|
2013-11-26 10:38:06 +01:00
|
|
|
|
Fedora/EPEL
|
|
|
|
|
----------
|
|
|
|
|
There is already a package in Fedora/EPEL of yubico-pam that can be installed
|
|
|
|
|
by using yum :
|
|
|
|
|
$ sudo yum install pam_yubico
|
2008-01-11 13:41:21 +01:00
|
|
|
|
|
2011-04-13 15:47:36 +02:00
|
|
|
|
Ubuntu PPA
|
|
|
|
|
----------
|
|
|
|
|
|
2012-10-04 08:40:02 +02:00
|
|
|
|
There is an Ubuntu PPA (Personal Package Archive) for yubico-pam that
|
2011-04-13 15:47:36 +02:00
|
|
|
|
can be installed using the following commands on reasonably modern
|
|
|
|
|
Ubuntu platforms :
|
|
|
|
|
|
2012-11-13 14:51:15 +01:00
|
|
|
|
$ sudo add-apt-repository ppa:yubico/stable
|
2011-04-13 15:47:36 +02:00
|
|
|
|
$ sudo apt-get update
|
2011-12-14 13:11:12 +01:00
|
|
|
|
$ sudo apt-get install libpam-yubico
|
2011-04-13 15:47:36 +02:00
|
|
|
|
|
2011-12-14 13:11:12 +01:00
|
|
|
|
See the file /usr/share/doc/libpam-yubico/README.Debian after installing.
|
2011-04-13 15:47:36 +02:00
|
|
|
|
|
2013-12-01 00:24:02 +01:00
|
|
|
|
FreeBSD ports
|
|
|
|
|
-------------
|
|
|
|
|
yubico-pam and the supporting Yubico packages have corresponding FreeBSD ports. To install:
|
|
|
|
|
|
|
|
|
|
$ cd /usr/ports/security/pam_yubico
|
|
|
|
|
$ make install clean
|
|
|
|
|
|
|
|
|
|
Advanced configuration notes are available at http://mjslabs.com/yubihow.html
|
|
|
|
|
|
2011-04-13 15:47:36 +02:00
|
|
|
|
|
2011-02-16 22:20:38 +01:00
|
|
|
|
Configuration
|
|
|
|
|
-------------
|
2008-01-11 13:41:21 +01:00
|
|
|
|
|
|
|
|
|
Install it in your PAM setup by adding a line to an appropriate file
|
|
|
|
|
in /etc/pam.d/:
|
|
|
|
|
|
2011-02-16 22:20:38 +01:00
|
|
|
|
------
|
2008-01-11 13:41:21 +01:00
|
|
|
|
auth sufficient pam_yubico.so id=16 debug
|
2011-02-16 22:20:38 +01:00
|
|
|
|
------
|
2008-01-11 13:41:21 +01:00
|
|
|
|
|
2011-04-11 15:53:02 +02:00
|
|
|
|
and move pam_yubico.so into /lib/security/ (or wherever PAM modules
|
|
|
|
|
live in your system) :
|
2008-01-11 13:41:21 +01:00
|
|
|
|
|
2011-02-16 22:20:38 +01:00
|
|
|
|
------
|
2008-05-02 11:24:53 +02:00
|
|
|
|
mv /usr/local/lib/security/pam_yubico.so /lib/security/
|
2011-02-16 22:20:38 +01:00
|
|
|
|
------
|
2008-01-11 13:41:21 +01:00
|
|
|
|
|
2009-01-13 15:11:09 +01:00
|
|
|
|
For more information, see the project Wiki page.
|
|
|
|
|
|
2008-01-11 13:41:21 +01:00
|
|
|
|
Supported PAM module parameters are:
|
|
|
|
|
|
2011-02-16 22:20:38 +01:00
|
|
|
|
------
|
2010-04-13 19:40:32 +02:00
|
|
|
|
"authfile": to indicate the location of the file that holds the
|
2011-04-11 15:53:02 +02:00
|
|
|
|
mappings of Yubikey token IDs to user names.
|
2010-04-13 19:40:32 +02:00
|
|
|
|
|
2009-05-11 12:05:20 +02:00
|
|
|
|
"id": to indicate your client identity.
|
|
|
|
|
|
|
|
|
|
"key": to indicate your client key in base64 format.
|
2011-04-11 15:53:02 +02:00
|
|
|
|
The client key is also known as API key, and provides
|
|
|
|
|
integrity in the communication between the client (you)
|
|
|
|
|
and the validation server.
|
|
|
|
|
If you want to get one for use with the default YubiCloud
|
|
|
|
|
service, visit this URL :
|
|
|
|
|
|
|
|
|
|
https://upgrade.yubico.com/getapikey/
|
2009-05-11 12:05:20 +02:00
|
|
|
|
|
|
|
|
|
"debug": to enable debug output to stdout.
|
|
|
|
|
|
2010-04-13 22:01:22 +02:00
|
|
|
|
"alwaysok": to enable all authentication attempts to succeed
|
2009-02-11 17:35:29 +01:00
|
|
|
|
(aka presentation mode).
|
2009-03-24 12:13:57 +01:00
|
|
|
|
|
|
|
|
|
"try_first_pass":
|
2011-02-16 22:20:38 +01:00
|
|
|
|
Before prompting the user for their password, the module
|
|
|
|
|
first tries the previous stacked module´s password in case
|
|
|
|
|
that satisfies this module as well.
|
2009-03-24 12:13:57 +01:00
|
|
|
|
|
|
|
|
|
"use_first_pass":
|
2011-02-16 22:20:38 +01:00
|
|
|
|
The argument use_first_pass forces the module to use a previous
|
|
|
|
|
stacked modules password and will never prompt the user - if no
|
|
|
|
|
password is available or the password is not appropriate, the user
|
|
|
|
|
will be denied access.
|
2009-03-24 12:13:57 +01:00
|
|
|
|
|
2014-04-30 13:39:49 +02:00
|
|
|
|
"urllist": List of URL templates to be used. This is set by calling
|
|
|
|
|
ykclient_set_url_bases. The list should be in the format :
|
|
|
|
|
|
|
|
|
|
"https://server/wsapi/2.0/verify;https://server/wsapi/2.0/verify"
|
|
|
|
|
|
|
|
|
|
"url": This option should not be used, please use the urllist
|
|
|
|
|
option instead.
|
|
|
|
|
Specify the URL template to use, this is set by calling
|
2010-04-13 22:01:22 +02:00
|
|
|
|
yubikey_client_set_url_template, which defaults to:
|
2011-04-11 15:53:02 +02:00
|
|
|
|
|
2013-10-08 23:08:42 +02:00
|
|
|
|
https://api.yubico.com/wsapi/verify?id=%d&otp=%s
|
2009-05-11 12:05:20 +02:00
|
|
|
|
|
2011-04-11 15:53:02 +02:00
|
|
|
|
or
|
|
|
|
|
|
2013-10-08 23:08:42 +02:00
|
|
|
|
https://api.yubico.com/wsapi/2.0/verify?id=%d&otp=%s
|
2011-04-11 15:53:02 +02:00
|
|
|
|
|
|
|
|
|
depending on your version of yubico-c-client.
|
|
|
|
|
|
2012-02-01 09:29:27 +01:00
|
|
|
|
"capath": specify the path where X509 certificates are stored. This is
|
|
|
|
|
required if 'https' or 'ldaps' are used in 'url' and 'ldap_uri'
|
|
|
|
|
respectively.
|
|
|
|
|
|
2010-04-14 11:48:25 +02:00
|
|
|
|
"verbose_otp":
|
2012-10-03 07:44:52 +02:00
|
|
|
|
This argument is used to show the OTP (One Time Password) when it
|
|
|
|
|
is entered, i.e. to enable terminal echo of entered characters.
|
2010-04-14 11:48:25 +02:00
|
|
|
|
You are advised to not use this, if you are using two factor
|
2010-09-09 22:31:44 +02:00
|
|
|
|
authentication because that will display your password on the
|
|
|
|
|
screen.
|
|
|
|
|
|
|
|
|
|
This requires the service using the PAM module to
|
|
|
|
|
display custom fields. For example, OpenSSH requires
|
|
|
|
|
you to configure "ChallengeResponseAuthentication no".
|
2010-04-14 11:48:25 +02:00
|
|
|
|
|
2011-02-16 22:20:38 +01:00
|
|
|
|
"ldap_uri": specify the LDAP server URI (e.g. ldap://localhost).
|
2009-05-11 12:05:20 +02:00
|
|
|
|
|
2010-04-14 10:17:43 +02:00
|
|
|
|
|
2010-05-20 21:11:33 +02:00
|
|
|
|
"ldapserver": specify the LDAP server host (default LDAP port is used).
|
2011-02-16 22:20:38 +01:00
|
|
|
|
_Deprecated. Use "ldap_uri" instead._
|
2010-04-14 10:17:43 +02:00
|
|
|
|
|
2009-05-11 12:05:20 +02:00
|
|
|
|
"ldapdn": specify the dn where the users are stored
|
|
|
|
|
(eg: ou=users,dc=domain,dc=com).
|
|
|
|
|
|
2010-04-13 22:01:22 +02:00
|
|
|
|
"user_attr": specify the LDAP attribute used to store user names (eg:cn).
|
2009-05-11 12:05:20 +02:00
|
|
|
|
|
2011-04-11 15:53:02 +02:00
|
|
|
|
"yubi_attr": specify the LDAP attribute used to store the Yubikey id.
|
2011-02-16 22:20:38 +01:00
|
|
|
|
|
2012-02-01 09:29:27 +01:00
|
|
|
|
"yubi_attr_prefix":
|
|
|
|
|
specify the prefix of the LDAP attribute's value, in case
|
|
|
|
|
of a generic attribute, used to store several types of ids.
|
|
|
|
|
|
2011-12-12 19:28:37 +01:00
|
|
|
|
"token_id_length":
|
|
|
|
|
Length of ID prefixing the OTP (this is 12 if using the
|
|
|
|
|
YubiCloud).
|
|
|
|
|
"mode":
|
|
|
|
|
Mode of operation. Use "client" for online validation with
|
|
|
|
|
a YubiKey validation service such as the YubiCloud, or use
|
|
|
|
|
"challenge-response" for offline validation using YubiKeys
|
|
|
|
|
with HMAC-SHA-1 Challenge-Response configurations. See the
|
|
|
|
|
man-page ykpamcfg(1) for further details on how to configure
|
|
|
|
|
offline Challenge-Response validation.
|
|
|
|
|
|
2011-02-16 22:20:38 +01:00
|
|
|
|
------
|
2008-01-11 13:41:21 +01:00
|
|
|
|
|
|
|
|
|
If you are using "debug" you may find it useful to create a
|
|
|
|
|
world-writable log file:
|
|
|
|
|
|
2011-02-16 22:20:38 +01:00
|
|
|
|
------
|
2011-04-11 15:53:02 +02:00
|
|
|
|
touch /var/run/pam-debug.log
|
|
|
|
|
chmod go+w /var/run/pam-debug.log
|
2011-02-16 22:20:38 +01:00
|
|
|
|
------
|
|
|
|
|
|
2008-01-11 13:41:21 +01:00
|
|
|
|
|
2011-02-16 22:20:38 +01:00
|
|
|
|
Authorization Mapping Files
|
|
|
|
|
---------------------------
|
2011-04-11 15:53:02 +02:00
|
|
|
|
A mapping must be made between the Yubikey token ID and the user ID it is
|
2010-05-20 21:11:33 +02:00
|
|
|
|
attached to. There are two ways to do this, either centrally in one file, or
|
2010-04-13 22:01:22 +02:00
|
|
|
|
individually, where users can create the mapping in their home directories.
|
2010-04-14 10:04:57 +02:00
|
|
|
|
If the central authorization mapping file is being used, user home directory
|
|
|
|
|
mappings will not be used and the opposite applies if user home directory
|
|
|
|
|
mappings are being used, the central authorization mappings file will not
|
|
|
|
|
be used.
|
2010-04-13 22:01:22 +02:00
|
|
|
|
|
2011-02-16 22:20:38 +01:00
|
|
|
|
Central authorization mapping
|
|
|
|
|
-----------------------------
|
2010-04-13 22:01:22 +02:00
|
|
|
|
|
|
|
|
|
Create a /etc/yubikey_mappings, the file must contain a user name and the
|
2011-04-11 15:53:02 +02:00
|
|
|
|
Yubikey token ID separated by colons (same format as the passwd file) for
|
|
|
|
|
each user you want to allow onto the system using a Yubikey.
|
2010-04-13 22:01:22 +02:00
|
|
|
|
|
|
|
|
|
The mappings should look like this, one per line:
|
2010-05-20 21:11:33 +02:00
|
|
|
|
|
2011-02-16 22:20:38 +01:00
|
|
|
|
------
|
2012-10-03 04:30:38 +02:00
|
|
|
|
<first user name>:<Yubikey token ID1>:<Yubikey token ID2>:….
|
|
|
|
|
<second user name>:<Yubikey token ID3>:<Yubikey token ID4>:….
|
2011-02-16 22:20:38 +01:00
|
|
|
|
------
|
2010-04-13 22:01:22 +02:00
|
|
|
|
|
|
|
|
|
Now add authfile=/etc/yubikey_mappings to your PAM configuration line, so it
|
|
|
|
|
looks like:
|
|
|
|
|
|
2011-02-16 22:20:38 +01:00
|
|
|
|
------
|
|
|
|
|
auth sufficient pam_yubico.so id=16 authfile=/etc/yubikey_mappings
|
|
|
|
|
------
|
|
|
|
|
|
2010-04-13 22:01:22 +02:00
|
|
|
|
|
2011-02-16 22:20:38 +01:00
|
|
|
|
Individual authorization mapping by user
|
|
|
|
|
----------------------------------------
|
2010-04-13 22:01:22 +02:00
|
|
|
|
Each user creates a ~/.yubico/authorized_yubikeys file inside of their home
|
|
|
|
|
directory and places the mapping in that file, the file must have only one
|
|
|
|
|
line:
|
|
|
|
|
|
2011-02-16 22:20:38 +01:00
|
|
|
|
------
|
2012-10-03 04:30:38 +02:00
|
|
|
|
<user name>:<Yubikey token ID1>:<Yubikey token ID2>
|
2011-02-16 22:20:38 +01:00
|
|
|
|
------
|
2010-04-13 22:01:22 +02:00
|
|
|
|
|
|
|
|
|
This is much the same concept as the SSH authorized_keys file.
|
|
|
|
|
|
2011-02-16 22:20:38 +01:00
|
|
|
|
|
2011-04-11 15:53:02 +02:00
|
|
|
|
Obtaining the Yubikey token ID (a.k.a. public ID)
|
|
|
|
|
-------------------------------------------------
|
2010-05-20 21:11:33 +02:00
|
|
|
|
|
2013-10-06 19:09:38 +02:00
|
|
|
|
You can obtain the Yubikey token ID in several ways. One is by
|
|
|
|
|
removing the last 32 characters of any OTP (One Time Password)
|
|
|
|
|
generated with your Yubikey. Another is by using the modhex
|
|
|
|
|
calculator located here:
|
2010-05-20 21:11:33 +02:00
|
|
|
|
|
2013-10-06 19:09:38 +02:00
|
|
|
|
http://demo.yubico.com/php-yubico/Modhex_Calculator.php
|
2010-05-20 21:11:33 +02:00
|
|
|
|
|
2013-10-06 19:09:38 +02:00
|
|
|
|
Enter your Yubikey OTP and convert it, your Yubikey token ID is 12
|
|
|
|
|
characters and listed as:
|
2011-02-16 22:20:38 +01:00
|
|
|
|
|
2013-10-06 19:09:38 +02:00
|
|
|
|
Modhex encoded: XXXXXXX
|
2012-10-03 04:24:30 +02:00
|
|
|
|
|
2012-10-03 04:28:30 +02:00
|
|
|
|
Not sure what that last bit meant? Here is how to get a copy of your OTP.
|
|
|
|
|
|
|
|
|
|
Fast way
|
2013-09-19 09:21:04 +02:00
|
|
|
|
--------
|
2012-10-03 04:28:30 +02:00
|
|
|
|
* Open a terminal
|
|
|
|
|
* Press yubikey button
|
|
|
|
|
|
|
|
|
|
It will output an OTP into the shell:
|
|
|
|
|
|
|
|
|
|
------
|
|
|
|
|
$ cccccccgklgcvnkcvnnegrnhgrjkhlkfhdkclfncvlgj
|
|
|
|
|
bash: cccccccgklgcvnkcvnnegrnhgrjkhlkfhdkclfncvlgj: command not found
|
|
|
|
|
------
|
|
|
|
|
|
|
|
|
|
This can be pasted into the Modhex_Calculator page.
|
|
|
|
|
|
|
|
|
|
Harder way
|
2013-09-19 09:21:04 +02:00
|
|
|
|
----------
|
2012-10-03 04:28:30 +02:00
|
|
|
|
This requires you to have the pam module enabled with 'debug' turned on. When
|
|
|
|
|
prompted for the yubikey press the button. The pam module will print out debug
|
|
|
|
|
information including the OTP and ID of your token to the shell - copy the ID
|
|
|
|
|
into your config file and you should be up and going.
|
|
|
|
|
|
|
|
|
|
------
|
|
|
|
|
Yubikey for `youruser':
|
|
|
|
|
[pam_yubico.c:pam_sm_authenticate(867)] conv returned 44 bytes
|
|
|
|
|
[pam_yubico.c:pam_sm_authenticate(885)] Skipping first 0 bytes. Length is 44, token_id set to 12 and token OTP always 32.
|
|
|
|
|
[pam_yubico.c:pam_sm_authenticate(892)] OTP: ccccccclabcabkhbdncicglfltnukadfoifadfhhhhfe ID: cccccclabcab
|
|
|
|
|
------
|
|
|
|
|
|
|
|
|
|
|
2012-10-03 04:16:06 +02:00
|
|
|
|
Yubico PAM module and SELinux.
|
|
|
|
|
------------------------------
|
|
|
|
|
Users with SELinux in enforcing mode (the default on Fedora 17+) may experience
|
|
|
|
|
login problems with services including those validated via
|
|
|
|
|
polkit-agent-helper-1, sshd and login.
|
|
|
|
|
|
|
|
|
|
This is documented in the PAM Yubico issue tracker [1] and Red Hat bugzilla
|
|
|
|
|
including a work around [2] for ssh (Equivalent files could be created for
|
|
|
|
|
other services). Systems in 'permissive' mode will generate AVC warnings but
|
|
|
|
|
authentication will succeed.
|
|
|
|
|
|
2013-10-08 23:08:42 +02:00
|
|
|
|
[1] https://code.google.com/p/yubico-pam/issues/detail?id=43
|
2012-10-03 04:16:06 +02:00
|
|
|
|
[2] https://bugzilla.redhat.com/show_bug.cgi?id=841693#c3
|
|
|
|
|
|
|
|
|
|
To determine if you have SELinux enforcing or not run the 'sestatus' command.
|
|
|
|
|
|
2011-02-16 22:20:38 +01:00
|
|
|
|
Examples
|
|
|
|
|
--------
|
2008-06-25 15:49:31 +02:00
|
|
|
|
|
|
|
|
|
If you want to use the Yubikey to authenticate you on linux console
|
|
|
|
|
logins, add the following to the top of /etc/pam.d/login:
|
|
|
|
|
|
2011-02-16 22:20:38 +01:00
|
|
|
|
------
|
|
|
|
|
auth sufficient pam_yubico.so id=16 debug
|
|
|
|
|
------
|
|
|
|
|
|
2008-06-25 15:49:31 +02:00
|
|
|
|
|
2011-02-16 22:20:38 +01:00
|
|
|
|
Feedback
|
|
|
|
|
--------
|
2008-01-11 13:41:21 +01:00
|
|
|
|
|
|
|
|
|
If you want to discuss anything related to the Yubico PAM module,
|
2011-12-13 17:00:59 +01:00
|
|
|
|
please e-mail the mailing list yubico-devel@googlegroups.com.
|
2012-10-04 08:41:05 +02:00
|
|
|
|
|