rooty/yubico-pam
1
0
Fork 0
mirror of https://github.com/Yubico/yubico-pam.git synced 2025-02-07 18:54:20 +01:00
Code Issues Projects Releases Wiki Activity

Update README

Browse Source
This commit is contained in:
Henrik Stråth 2014-10-29 14:55:40 +01:00
parent 305b583f23
commit 6ddea6426d
1 changed files with 79 additions and 85 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

164
README
View File

@ -134,97 +134,102 @@ For more information, see the project Wiki page.
Supported PAM module parameters are: Supported PAM module parameters are:
------ authfile::
"authfile": to indicate the location of the file that holds the To indicate the location of the file that holds the
mappings of Yubikey token IDs to user names. mappings of Yubikey token IDs to user names.
"id": to indicate your client identity. id:: To indicate your client identity.
"key": to indicate your client key in base64 format. key::
The client key is also known as API key, and provides To indicate your client key in base64 format.
integrity in the communication between the client (you) The client key is also known as API key, and provides
and the validation server. integrity in the communication between the client (you)
If you want to get one for use with the default YubiCloud and the validation server.
service, visit this URL : If you want to get one for use with the default YubiCloud
service, go https://upgrade.yubico.com/getapikey[here].
https://upgrade.yubico.com/getapikey/ debug:: to enable debug output to stdout.
"debug": to enable debug output to stdout. alwaysok::
to enable all authentication attempts to succeed
(aka presentation mode).
"alwaysok": to enable all authentication attempts to succeed try_first_pass::
(aka presentation mode). Before prompting the user for their password, the module
first tries the previous stacked module´s password in case
that satisfies this module as well.
"try_first_pass": use_first_pass::
Before prompting the user for their password, the module The argument use_first_pass forces the module to use a previous
first tries the previous stacked module´s password in case stacked modules password and will never prompt the user - if no
that satisfies this module as well. password is available or the password is not appropriate, the user
will be denied access.
"use_first_pass": urllist::
The argument use_first_pass forces the module to use a previous List of URL templates to be used. This is set by calling
stacked modules password and will never prompt the user - if no ykclient_set_url_bases. The list should be in the format :
password is available or the password is not appropriate, the user `https://server/wsapi/2.0/verify;https://server/wsapi/2.0/verify`
will be denied access.
"urllist": List of URL templates to be used. This is set by calling url::
ykclient_set_url_bases. The list should be in the format : This option should not be used, please use the urllist
option instead.
Specify the URL template to use, this is set by calling
yubikey_client_set_url_template, which defaults to:
"https://server/wsapi/2.0/verify;https://server/wsapi/2.0/verify" https://api.yubico.com/wsapi/verify?id=%d&otp=%s
"url": This option should not be used, please use the urllist or
option instead.
Specify the URL template to use, this is set by calling
yubikey_client_set_url_template, which defaults to:
https://api.yubico.com/wsapi/verify?id=%d&otp=%s https://api.yubico.com/wsapi/2.0/verify?id=%d&otp=%s
or depending on your version of yubico-c-client.
https://api.yubico.com/wsapi/2.0/verify?id=%d&otp=%s capath::
specify the path where X509 certificates are stored. This is
required if 'https' or 'ldaps' are used in 'url' and 'ldap_uri'
respectively.
depending on your version of yubico-c-client. verbose_otp::
This argument is used to show the OTP (One Time Password) when it
is entered, i.e. to enable terminal echo of entered characters.
You are advised to not use this, if you are using two factor
authentication because that will display your password on the
screen.
"capath": specify the path where X509 certificates are stored. This is This requires the service using the PAM module to
required if 'https' or 'ldaps' are used in 'url' and 'ldap_uri' display custom fields. For example, OpenSSH requires
respectively. you to configure `ChallengeResponseAuthentication no`.
"verbose_otp": ldap_uri:: specify the LDAP server URI (e.g. ldap://localhost).
This argument is used to show the OTP (One Time Password) when it
is entered, i.e. to enable terminal echo of entered characters.
You are advised to not use this, if you are using two factor
authentication because that will display your password on the
screen.
This requires the service using the PAM module to
display custom fields. For example, OpenSSH requires
you to configure "ChallengeResponseAuthentication no".
"ldap_uri": specify the LDAP server URI (e.g. ldap://localhost).
"ldapserver": specify the LDAP server host (default LDAP port is used). ldapserver::
_Deprecated. Use "ldap_uri" instead._ specify the LDAP server host (default LDAP port is used).
_Deprecated. Use "ldap_uri" instead._
"ldapdn": specify the dn where the users are stored ldapdn::
(eg: ou=users,dc=domain,dc=com). specify the dn where the users are stored
(eg: ou=users,dc=domain,dc=com).
"user_attr": specify the LDAP attribute used to store user names (eg:cn). user_attr:: specify the LDAP attribute used to store user names (eg:cn).
"yubi_attr": specify the LDAP attribute used to store the Yubikey id. yubi_attr:: specify the LDAP attribute used to store the Yubikey ID.
"yubi_attr_prefix": yubi_attr_prefix::
specify the prefix of the LDAP attribute's value, in case specify the prefix of the LDAP attribute's value, in case
of a generic attribute, used to store several types of ids. of a generic attribute, used to store several types of IDs.
"token_id_length": token_id_length::
Length of ID prefixing the OTP (this is 12 if using the Length of ID prefixing the OTP (this is 12 if using the
YubiCloud). YubiCloud).
"mode":
Mode of operation. Use "client" for online validation with mode::
a YubiKey validation service such as the YubiCloud, or use Mode of operation. Use "client" for online validation with
"challenge-response" for offline validation using YubiKeys a YubiKey validation service such as the YubiCloud, or use
with HMAC-SHA-1 Challenge-Response configurations. See the "challenge-response" for offline validation using YubiKeys
man-page ykpamcfg(1) for further details on how to configure with HMAC-SHA-1 Challenge-Response configurations. See the
offline Challenge-Response validation. man-page ykpamcfg(1) for further details on how to configure
offline Challenge-Response validation.
------ ------
@ -250,7 +255,7 @@ be used.
Central authorization mapping Central authorization mapping
----------------------------- -----------------------------
Create a /etc/yubikey_mappings, the file must contain a user name and the Create a `/etc/yubikey_mappings`, the file must contain a user name and the
Yubikey token ID separated by colons (same format as the passwd file) for Yubikey token ID separated by colons (same format as the passwd file) for
each user you want to allow onto the system using a Yubikey. each user you want to allow onto the system using a Yubikey.
@ -287,10 +292,8 @@ Obtaining the Yubikey token ID (a.k.a. public ID)
You can obtain the Yubikey token ID in several ways. One is by You can obtain the Yubikey token ID in several ways. One is by
removing the last 32 characters of any OTP (One Time Password) removing the last 32 characters of any OTP (One Time Password)
generated with your Yubikey. Another is by using the modhex generated with your Yubikey. Another is by using the
calculator located here: http://demo.yubico.com/php-yubico/Modhex_Calculator.php[modhex calculator].
http://demo.yubico.com/php-yubico/Modhex_Calculator.php
Enter your Yubikey OTP and convert it, your Yubikey token ID is 12 Enter your Yubikey OTP and convert it, your Yubikey token ID is 12
characters and listed as: characters and listed as:
@ -307,7 +310,7 @@ Fast way
It will output an OTP into the shell: It will output an OTP into the shell:
------ ------
$ cccccccgklgcvnkcvnnegrnhgrjkhlkfhdkclfncvlgj $ cccccccgklgcvnkcvnnegrnhgrjkhlkfhdkclfncvlgj
bash: cccccccgklgcvnkcvnnegrnhgrjkhlkfhdkclfncvlgj: command not found bash: cccccccgklgcvnkcvnnegrnhgrjkhlkfhdkclfncvlgj: command not found
------ ------
@ -348,16 +351,7 @@ Examples
-------- --------
If you want to use the Yubikey to authenticate you on linux console If you want to use the Yubikey to authenticate you on linux console
logins, add the following to the top of /etc/pam.d/login: logins, add the following to the top of `/etc/pam.d/login`:
------ auth sufficient pam_yubico.so id=16 debug
auth sufficient pam_yubico.so id=16 debug
------
Feedback
--------
If you want to discuss anything related to the Yubico PAM module,
please e-mail the mailing list yubico-devel@googlegroups.com.