rooty/yubico-pam
1
0
Fork 0
mirror of https://github.com/Yubico/yubico-pam.git synced 2025-02-22 00:54:30 +01:00
Code Issues Projects Releases Wiki Activity

Update MacOS_X_Challenge-Response.adoc

Browse Source
This commit is contained in:
Henrik Stråth 2014-10-31 14:39:10 +01:00
parent 499412c6e8
commit 2083c76c23
1 changed files with 4 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
doc/MacOS_X_Challenge-Response.adoc
View File

@ -29,20 +29,19 @@ Personalization Tool" is a more comfortable way to do this.
1. Plug in your YubiKey and start the YubiKey Personalization Tool 1. Plug in your YubiKey and start the YubiKey Personalization Tool
+ +
NOTE: YubiKey Personalization Tool shows whether your YubiKey supports challenge-response in the lower right. NOTE: YubiKey Personalization Tool shows whether your YubiKey supports challenge-response in the lower right.
2. Click Challenge-Response 2. Click 'Challenge-Response'
3. Select HMAC-SHA1 mode 3. Select HMAC-SHA1 mode. Apparently Yubico-OTP mode doesn't work with yubico-pam at the moment.
Apparently Yubico-OTP mode doesn't work with yubico-pam at the moment.
4. Select the configuration slot you want to use 4. Select the configuration slot you want to use
(this text assumes slot two, but it should be easy enough to adapt the instructions if you prefer slot 1) (this text assumes slot two, but it should be easy enough to adapt the instructions if you prefer slot 1)
5. Select whether you want to require pressing the button for authentication 5. Select whether you want to require pressing the button for authentication
+ +
NOTE: If you enable this, you will have to press the button twice for each authentication with yubico-pam. This is because the PAM module does not only send the challenge on file and checks whether the response matches, but also generates a new challenge-response pair on success. NOTE: If you enable this, you will have to press the button twice for each authentication with yubico-pam. This is because the PAM module does not only send the challenge on file and checks whether the response matches, but also generates a new challenge-response pair on success.
6. Use "Variable input" as HMAC-SHA1 mode 6. Use 'Variable input' as HMAC-SHA1 mode
+ +
WARNING: Using "Fixed 64 byte input" for this value made my YubiKey always return the same response regardless of what the challenge was. Since this defies the purpose of challenge-response think twice and test before you use this! WARNING: Using "Fixed 64 byte input" for this value made my YubiKey always return the same response regardless of what the challenge was. Since this defies the purpose of challenge-response think twice and test before you use this!
7. Generate a secret key 7. Generate a secret key
You won't need this key again, it's sufficient to have it on your YubiKey. Note that the YubiKey Personalization Tool by default logs the key to configuration_log.csv in your home directory. Consider turning this off in the settings before writing or shredding the file after writing. You won't need this key again, it's sufficient to have it on your YubiKey. Note that the YubiKey Personalization Tool by default logs the key to configuration_log.csv in your home directory. Consider turning this off in the settings before writing or shredding the file after writing.
8. Click "Write Configuration" 8. Click 'Write Configuration'
=== Configuring your user account to accept the YubiKey === === Configuring your user account to accept the YubiKey ===
@ -65,8 +64,6 @@ stored the initial challenge somewhere inside your home directory:
Stored initial challenge and expected response in '/path/to/your/home/.yubico/challenge-KEYID'. Stored initial challenge and expected response in '/path/to/your/home/.yubico/challenge-KEYID'.
---- ----
A footnote footnote:[An example footnote.]
This step will create a file with a challenge and the expected This step will create a file with a challenge and the expected
response (that can only be generated with the secret response (that can only be generated with the secret
key footnote:[This is also the reason why you should avoid having copies of the key in other places than your YubiKey!] ) key footnote:[This is also the reason why you should avoid having copies of the key in other places than your YubiKey!] )