rooty/yubico-pam
1
0
Fork 0
mirror of https://github.com/Yubico/yubico-pam.git synced 2025-02-21 15:54:41 +01:00
Code Issues Projects Releases Wiki Activity

More fixes from Erinn Looney-Triggs <erinn.looneytriggs@gmail.com>.

Browse Source
This commit is contained in:
Simon Josefsson 2010-04-13 20:01:22 +00:00
parent 0aa245a9b2
commit 91b73d1c5a
1 changed files with 35 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
README
View File

@ -92,7 +92,7 @@ Supported PAM module parameters are:
{{{ {{{
"authfile": to indicate the location of the file that holds the "authfile": to indicate the location of the file that holds the
mappings of yubikey public IDs to usernames. mappings of yubikey public IDs to user names.
"id": to indicate your client identity. "id": to indicate your client identity.
@ -100,7 +100,7 @@ Supported PAM module parameters are:
"debug": to enable debug output to stdout. "debug": to enable debug output to stdout.
"alwaysok": to enable that all authentication attempts should succeed "alwaysok": to enable all authentication attempts to succeed
(aka presentation mode). (aka presentation mode).
"try_first_pass": "try_first_pass":
@ -115,17 +115,17 @@ Supported PAM module parameters are:
will be denied access. will be denied access.
"url": specify the URL template to use, this is set by calling "url": specify the URL template to use, this is set by calling
yubikey_client_set_url_template, which uses by default: yubikey_client_set_url_template, which defaults to:
http://api.yubico.com/wsapi/verify?id=%d&otp=%s http://api.yubico.com/wsapi/verify?id=%d&otp=%s
"ldap_uri": specifiy the ldap server uri (e.g. ldap://localhost). "ldap_uri": specifiy the ldap server uri (e.g. ldap://localhost).
"ldapdn": specify the dn where the users are stored "ldapdn": specify the dn where the users are stored
(eg: ou=users,dc=domain,dc=com). (eg: ou=users,dc=domain,dc=com).
"user_attr": specify the attribute used to store usernames (eg:cn). "user_attr": specify the LDAP attribute used to store user names (eg:cn).
"yubi_attr": specify the attribute used to store the yubikey id. "yubi_attr": specify the LDAP attribute used to store the yubikey id.
}}} }}}
If you are using "debug" you may find it useful to create a If you are using "debug" you may find it useful to create a
@ -136,6 +136,35 @@ world-writable log file:
chmod go+w /var/run/pam-debug.log chmod go+w /var/run/pam-debug.log
}}} }}}
== Authorization Mapping Files ==
A mapping must be made between the yubikey public ID and the user it ID is
attached to. There are two ways to do this, either centrally in one file or
individually, where users can create the mapping in their home directories.
1) Centrally
Create a /etc/yubikey_mappings, the file must contain a user name and the
yubikey Public ID separated by colons (same format at the passwd file) for
each user you want to allow onto the system using a yubikey.
The mappings should look like this, one per line:
<user name>:<yubikey token ID>:<yubikey token ID>: ….
<user name>:<yubikey token ID>:<yubikey token ID>:…..
Now add authfile=/etc/yubikey_mappings to your PAM configuration line, so it
looks like:
auth sufficient pam_yubico.so id=16 authfile=/etc/yubikey_mappings
2) Individual, by user
Each user creates a ~/.yubico/authorized_yubikeys file inside of their home
directory and places the mapping in that file, the file must have only one
line:
<user name>:<yubikey token ID>:<yubikey token ID>
This is much the same concept as the SSH authorized_keys file.
== Examples == == Examples ==
If you want to use the Yubikey to authenticate you on linux console If you want to use the Yubikey to authenticate you on linux console