rooty/yubico-pam
1
0
Fork 0
mirror of https://github.com/Yubico/yubico-pam.git synced 2025-02-27 06:54:15 +01:00
Code Issues Projects Releases Wiki Activity

sync

Browse Source
This commit is contained in:
Fredrik Thulin 2011-04-11 15:53:02 +02:00
parent 1ebaf8773f
commit 1b6bb56e86
1 changed files with 32 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
README
View File

@ -84,7 +84,8 @@ in /etc/pam.d/:
auth sufficient pam_yubico.so id=16 debug auth sufficient pam_yubico.so id=16 debug
------ ------
and move pam_yubico.so into /lib/security/ : and move pam_yubico.so into /lib/security/ (or wherever PAM modules
live in your system) :
------ ------
mv /usr/local/lib/security/pam_yubico.so /lib/security/ mv /usr/local/lib/security/pam_yubico.so /lib/security/
@ -96,11 +97,18 @@ Supported PAM module parameters are:
------ ------
"authfile": to indicate the location of the file that holds the "authfile": to indicate the location of the file that holds the
mappings of yubikey token IDs to user names. mappings of Yubikey token IDs to user names.
"id": to indicate your client identity. "id": to indicate your client identity.
"key": to indicate your client key in base64 format. "key": to indicate your client key in base64 format.
The client key is also known as API key, and provides
integrity in the communication between the client (you)
and the validation server.
If you want to get one for use with the default YubiCloud
service, visit this URL :
https://upgrade.yubico.com/getapikey/
"debug": to enable debug output to stdout. "debug": to enable debug output to stdout.
@ -120,8 +128,15 @@ Supported PAM module parameters are:
"url": specify the URL template to use, this is set by calling "url": specify the URL template to use, this is set by calling
yubikey_client_set_url_template, which defaults to: yubikey_client_set_url_template, which defaults to:
http://api.yubico.com/wsapi/verify?id=%d&otp=%s http://api.yubico.com/wsapi/verify?id=%d&otp=%s
or
http://api.yubico.com/wsapi/2.0/verify?id=%d&otp=%s
depending on your version of yubico-c-client.
"verbose_otp": "verbose_otp":
This argument is used to show the OTP when it is entered, This argument is used to show the OTP when it is entered,
i.e. to enable terminal echo of entered characters. i.e. to enable terminal echo of entered characters.
@ -144,7 +159,7 @@ Supported PAM module parameters are:
"user_attr": specify the LDAP attribute used to store user names (eg:cn). "user_attr": specify the LDAP attribute used to store user names (eg:cn).
"yubi_attr": specify the LDAP attribute used to store the yubikey id. "yubi_attr": specify the LDAP attribute used to store the Yubikey id.
"capath": Path to a directory with SSL CA certs you trust. "capath": Path to a directory with SSL CA certs you trust.
------ ------
@ -160,7 +175,7 @@ world-writable log file:
Authorization Mapping Files Authorization Mapping Files
--------------------------- ---------------------------
A mapping must be made between the yubikey token ID and the user ID it is A mapping must be made between the Yubikey token ID and the user ID it is
attached to. There are two ways to do this, either centrally in one file, or attached to. There are two ways to do this, either centrally in one file, or
individually, where users can create the mapping in their home directories. individually, where users can create the mapping in their home directories.
If the central authorization mapping file is being used, user home directory If the central authorization mapping file is being used, user home directory
@ -172,14 +187,14 @@ Central authorization mapping
----------------------------- -----------------------------
Create a /etc/yubikey_mappings, the file must contain a user name and the Create a /etc/yubikey_mappings, the file must contain a user name and the
yubikey token ID separated by colons (same format as the passwd file) for Yubikey token ID separated by colons (same format as the passwd file) for
each user you want to allow onto the system using a yubikey. each user you want to allow onto the system using a Yubikey.
The mappings should look like this, one per line: The mappings should look like this, one per line:
------ ------
<user name>:<yubikey token ID>:<yubikey token ID>:…. <user name>:<Yubikey token ID>:<Yubikey token ID>:….
<user name>:<yubikey token ID>:<yubikey token ID>:…. <user name>:<Yubikey token ID>:<Yubikey token ID>:….
------ ------
Now add authfile=/etc/yubikey_mappings to your PAM configuration line, so it Now add authfile=/etc/yubikey_mappings to your PAM configuration line, so it
@ -197,25 +212,24 @@ directory and places the mapping in that file, the file must have only one
line: line:
------ ------
<user name>:<yubikey token ID>:<yubikey token ID> <user name>:<Yubikey token ID>:<Yubikey token ID>
------ ------
This is much the same concept as the SSH authorized_keys file. This is much the same concept as the SSH authorized_keys file.
Obtaining the yubikey token ID Obtaining the Yubikey token ID (a.k.a. public ID)
------------------------------ -------------------------------------------------
You can obtain the yubikey token ID in two places, one is by capturing the You can obtain the Yubikey token ID in two places. One is by removing the
the first twelve digits of any OTP generated with your yubikey, the other last 32 characters of any OTP generated with your Yubikey, the other
is by using the modhex calculator located here : is by using the modhex calculator located here :
http://radius.yubico.com/demo/Modhex_Calculator.php http://radius.yubico.com/demo/Modhex_Calculator.php
Enter your yubikey OTP and convert it, your yubikey token ID is 12 digits and listed as: Enter your Yubikey OTP and convert it, your Yubikey token ID is 12 digits and listed as:
Modhex encoded: XXXXXXX Modhex encoded: XXXXXXX
Examples Examples
-------- --------