rooty/yubico-pam
1
0
Fork 0
mirror of https://github.com/Yubico/yubico-pam.git synced 2025-02-12 06:54:21 +01:00
Code Issues Projects Releases Wiki Activity

Update README

Browse Source
This commit is contained in:
Henrik Stråth 2014-10-29 14:55:40 +01:00
parent 305b583f23
commit 6ddea6426d
1 changed files with 79 additions and 85 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

78
README
View File

@ -134,43 +134,44 @@ For more information, see the project Wiki page.
Supported PAM module parameters are: Supported PAM module parameters are:
------ authfile::
"authfile": to indicate the location of the file that holds the To indicate the location of the file that holds the
mappings of Yubikey token IDs to user names. mappings of Yubikey token IDs to user names.
"id": to indicate your client identity. id:: To indicate your client identity.
"key": to indicate your client key in base64 format. key::
To indicate your client key in base64 format.
The client key is also known as API key, and provides The client key is also known as API key, and provides
integrity in the communication between the client (you) integrity in the communication between the client (you)
and the validation server. and the validation server.
If you want to get one for use with the default YubiCloud If you want to get one for use with the default YubiCloud
service, visit this URL : service, go https://upgrade.yubico.com/getapikey[here].
https://upgrade.yubico.com/getapikey/ debug:: to enable debug output to stdout.
"debug": to enable debug output to stdout. alwaysok::
to enable all authentication attempts to succeed
"alwaysok": to enable all authentication attempts to succeed
(aka presentation mode). (aka presentation mode).
"try_first_pass": try_first_pass::
Before prompting the user for their password, the module Before prompting the user for their password, the module
first tries the previous stacked module´s password in case first tries the previous stacked module´s password in case
that satisfies this module as well. that satisfies this module as well.
"use_first_pass": use_first_pass::
The argument use_first_pass forces the module to use a previous The argument use_first_pass forces the module to use a previous
stacked modules password and will never prompt the user - if no stacked modules password and will never prompt the user - if no
password is available or the password is not appropriate, the user password is available or the password is not appropriate, the user
will be denied access. will be denied access.
"urllist": List of URL templates to be used. This is set by calling urllist::
List of URL templates to be used. This is set by calling
ykclient_set_url_bases. The list should be in the format : ykclient_set_url_bases. The list should be in the format :
`https://server/wsapi/2.0/verify;https://server/wsapi/2.0/verify`
"https://server/wsapi/2.0/verify;https://server/wsapi/2.0/verify" url::
This option should not be used, please use the urllist
"url": This option should not be used, please use the urllist
option instead. option instead.
Specify the URL template to use, this is set by calling Specify the URL template to use, this is set by calling
yubikey_client_set_url_template, which defaults to: yubikey_client_set_url_template, which defaults to:
@ -183,11 +184,12 @@ Supported PAM module parameters are:
depending on your version of yubico-c-client. depending on your version of yubico-c-client.
"capath": specify the path where X509 certificates are stored. This is capath::
specify the path where X509 certificates are stored. This is
required if 'https' or 'ldaps' are used in 'url' and 'ldap_uri' required if 'https' or 'ldaps' are used in 'url' and 'ldap_uri'
respectively. respectively.
"verbose_otp": verbose_otp::
This argument is used to show the OTP (One Time Password) when it This argument is used to show the OTP (One Time Password) when it
is entered, i.e. to enable terminal echo of entered characters. is entered, i.e. to enable terminal echo of entered characters.
You are advised to not use this, if you are using two factor You are advised to not use this, if you are using two factor
@ -196,29 +198,32 @@ Supported PAM module parameters are:
This requires the service using the PAM module to This requires the service using the PAM module to
display custom fields. For example, OpenSSH requires display custom fields. For example, OpenSSH requires
you to configure "ChallengeResponseAuthentication no". you to configure `ChallengeResponseAuthentication no`.
"ldap_uri": specify the LDAP server URI (e.g. ldap://localhost). ldap_uri:: specify the LDAP server URI (e.g. ldap://localhost).
"ldapserver": specify the LDAP server host (default LDAP port is used). ldapserver::
specify the LDAP server host (default LDAP port is used).
_Deprecated. Use "ldap_uri" instead._ _Deprecated. Use "ldap_uri" instead._
"ldapdn": specify the dn where the users are stored ldapdn::
specify the dn where the users are stored
(eg: ou=users,dc=domain,dc=com). (eg: ou=users,dc=domain,dc=com).
"user_attr": specify the LDAP attribute used to store user names (eg:cn). user_attr:: specify the LDAP attribute used to store user names (eg:cn).
"yubi_attr": specify the LDAP attribute used to store the Yubikey id. yubi_attr:: specify the LDAP attribute used to store the Yubikey ID.
"yubi_attr_prefix": yubi_attr_prefix::
specify the prefix of the LDAP attribute's value, in case specify the prefix of the LDAP attribute's value, in case
of a generic attribute, used to store several types of ids. of a generic attribute, used to store several types of IDs.
"token_id_length": token_id_length::
Length of ID prefixing the OTP (this is 12 if using the Length of ID prefixing the OTP (this is 12 if using the
YubiCloud). YubiCloud).
"mode":
mode::
Mode of operation. Use "client" for online validation with Mode of operation. Use "client" for online validation with
a YubiKey validation service such as the YubiCloud, or use a YubiKey validation service such as the YubiCloud, or use
"challenge-response" for offline validation using YubiKeys "challenge-response" for offline validation using YubiKeys
@ -250,7 +255,7 @@ be used.
Central authorization mapping Central authorization mapping
----------------------------- -----------------------------
Create a /etc/yubikey_mappings, the file must contain a user name and the Create a `/etc/yubikey_mappings`, the file must contain a user name and the
Yubikey token ID separated by colons (same format as the passwd file) for Yubikey token ID separated by colons (same format as the passwd file) for
each user you want to allow onto the system using a Yubikey. each user you want to allow onto the system using a Yubikey.
@ -287,10 +292,8 @@ Obtaining the Yubikey token ID (a.k.a. public ID)
You can obtain the Yubikey token ID in several ways. One is by You can obtain the Yubikey token ID in several ways. One is by
removing the last 32 characters of any OTP (One Time Password) removing the last 32 characters of any OTP (One Time Password)
generated with your Yubikey. Another is by using the modhex generated with your Yubikey. Another is by using the
calculator located here: http://demo.yubico.com/php-yubico/Modhex_Calculator.php[modhex calculator].
http://demo.yubico.com/php-yubico/Modhex_Calculator.php
Enter your Yubikey OTP and convert it, your Yubikey token ID is 12 Enter your Yubikey OTP and convert it, your Yubikey token ID is 12
characters and listed as: characters and listed as:
@ -348,16 +351,7 @@ Examples
-------- --------
If you want to use the Yubikey to authenticate you on linux console If you want to use the Yubikey to authenticate you on linux console
logins, add the following to the top of /etc/pam.d/login: logins, add the following to the top of `/etc/pam.d/login`:
------
auth sufficient pam_yubico.so id=16 debug auth sufficient pam_yubico.so id=16 debug
------
Feedback
--------
If you want to discuss anything related to the Yubico PAM module,
please e-mail the mailing list yubico-devel@googlegroups.com.