Add new key parameter to set verification key.

README

@@ -91,8 +91,12 @@ For more information, see the project Wiki page.
 Supported PAM module parameters are:
 
 {{{
-  "id":         to indicate your client identity,
-  "debug":      to enable debug output to stdout,
+  "id":         to indicate your client identity.
+
+  "key":        to indicate your client key in base64 format.
+
+  "debug":      to enable debug output to stdout.
+
   "alwaysok":   to enable that all authentication attempts should succeed
                 (aka presentation mode).
 
@@ -110,10 +114,15 @@ Supported PAM module parameters are:
   "url":        specify the URL template to use, this is set by calling
                 yubikey_client_set_url_template, which uses by default:
 	        http://api.yubico.com/wsapi/verify?id=%d&otp=%s
-  "ldapserver": specifiy the ldap server host (default ldap port is used)
-  "ldapdn":     specify the dn where the users are stored (eg: ou=users,dc=domain,dc=com)
-  "user_attr":  specify the attribute used to store usernames (eg:cn)
-  "yubi_attr":  specify the attribute used to store the yubikey id
+
+  "ldapserver": specifiy the ldap server host (default ldap port is used).
+
+  "ldapdn":     specify the dn where the users are stored
+                (eg: ou=users,dc=domain,dc=com).
+
+  "user_attr":  specify the attribute used to store usernames (eg:cn).
+
+  "yubi_attr":  specify the attribute used to store the yubikey id.
 }}}
 
 If you are using "debug" you may find it useful to create a

configure.ac

@@ -40,7 +40,6 @@ AC_CHECK_HEADERS([security/pam_appl.h], [],
 AC_CHECK_HEADERS([security/pam_modules.h security/_pam_macros.h], [], [],
   [#include <security/pam_appl.h>])
 
-
 AC_ARG_WITH([ldap],
             [AS_HELP_STRING([--without-ldap],
               [disable support for ldap])],
@@ -60,9 +59,9 @@ AC_ARG_WITH([ldap],
 
 
 AC_LIB_HAVE_LINKFLAGS([ykclient],, [#include <ykclient.h>],
-                      [ykclient_init (0);])
+                      [ykclient_set_client_b64 (0, 0, 0);])
 if test "$ac_cv_libykclient" != yes; then
-   AC_MSG_ERROR([[Libykclient not found, get it from http://code.google.com/p/yubico-c-client/]])
+   AC_MSG_ERROR([[Libykclient v2.3+ required, see http://code.google.com/p/yubico-c-client/]])
 fi
 
 AC_SUBST(PAMDIR, "\$(exec_prefix)/lib/security")

pam_yubico.c

@@ -70,7 +70,6 @@
 #define PORT_NUMBER  LDAP_PORT
 #endif
 
-
 #ifndef PAM_EXTERN
 #ifdef PAM_STATIC
 #define PAM_EXTERN static
@@ -79,8 +78,6 @@
 #endif
 #endif
 
-
-
 #include <sys/types.h>
 #include <pwd.h>
 
@@ -306,6 +303,7 @@ authorize_user_token_ldap (const char *ldapserver,
 struct cfg
 {
   int client_id;
+  char *client_key;
   int debug;
   int alwaysok;
   int try_first_pass;
@@ -339,6 +337,8 @@ parse_cfg (int flags, int argc, const char **argv, struct cfg *cfg)
     {
       if (strncmp (argv[i], "id=", 3) == 0)
 	sscanf (argv[i], "id=%d", &cfg->client_id);
+      if (strncmp (argv[i], "key=", 4) == 0)
+	cfg->client_key = (char *) argv[i] + 4;
       if (strcmp (argv[i], "debug") == 0)
 	cfg->debug = 1;
       if (strcmp (argv[i], "alwaysok") == 0)
@@ -368,6 +368,7 @@ parse_cfg (int flags, int argc, const char **argv, struct cfg *cfg)
       for (i = 0; i < argc; i++)
 	D (("argv[%d]=%s", i, argv[i]));
       D (("id=%d", cfg->client_id));
+      D (("key=%s", cfg->client_key ? cfg->client_key : "(null)"));
       D (("debug=%d", cfg->debug));
       D (("alwaysok=%d", cfg->alwaysok));
       D (("try_first_pass=%d", cfg->try_first_pass));
@@ -437,7 +438,15 @@ pam_sm_authenticate (pam_handle_t * pamh,
       goto done;
     }
 
-  ykclient_set_client (ykc, cfg.client_id, 0, NULL);
+  rc = ykclient_set_client_b64 (ykc, cfg.client_id, cfg.client_key);
+  if (rc != YKCLIENT_OK)
+    {
+      DBG (("ykclient_set_client_b64() failed (%d): %s",
+	    rc, ykclient_strerror (rc)));
+      retval = PAM_AUTHINFO_UNAVAIL;
+      goto done;
+    }
+
   if (cfg.url)
     ykclient_set_url_template (ykc, cfg.url);