rooty/yubico-pam
1
0
Fork 0
mirror of https://github.com/Yubico/yubico-pam.git synced 2024-11-29 00:24:11 +01:00
Code Issues Projects Releases Wiki Activity

Merge branch 'pr-196'

Browse Source
This commit is contained in:
Klas Lindfors 2019-07-01 08:35:04 +02:00
commit b5bd00db81
No known key found for this signature in database
GPG Key ID: BCA00FD4B2168C0A
2 changed files with 13 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Makefile.am
View File

@ -66,7 +66,7 @@ dist_man8_MANS = pam_yubico.8
DISTCLEANFILES = $(dist_man1_MANS) $(dist_man8_MANS)
MANSOURCES = pam_yubico.8.txt ykpamcfg.1.txt
EXTRA_DIST = doc/Authentication_Using_Challenge-Response.adoc doc/MacOS_X_Challenge-Response.adoc doc/Two_Factor_PAM_Configuration.adoc doc/Ubuntu_FreeRadius_YubiKey.adoc doc/YubiKey_and_FreeRADIUS_1FA_via_PAM.adoc doc/YubiKey_and_FreeRADIUS_via_PAM.adoc doc/YubiKey_and_OpenVPN_via_PAM.adoc doc/YubiKey_and_Radius_via_PAM.adoc doc/YubiKey_and_SELinux_on_Fedora_18_and_up.adoc doc/YubiKey_and_SSH_via_PAM.adoc
EXTRA_DIST = doc/Authentication_Using_Challenge-Response.adoc doc/MacOS_X_Challenge-Response.adoc doc/Two_Factor_PAM_Configuration.adoc doc/Ubuntu_FreeRadius_YubiKey.adoc doc/YubiKey_and_FreeRADIUS_1FA_via_PAM.adoc doc/YubiKey_and_FreeRADIUS_via_PAM.adoc doc/YubiKey_and_OpenVPN_via_PAM.adoc doc/YubiKey_and_Radius_via_PAM.adoc doc/YubiKey_and_SELinux.adoc doc/YubiKey_and_SSH_via_PAM.adoc
EXTRA_DIST += $(MANSOURCES)
EXTRA_DIST += tests/aux/ykval.pl tests/aux/ldap.pl tests/aux/authfile

12
doc/YubiKey_and_SELinux_on_Fedora_18_and_up.adoc → doc/YubiKey_and_SELinux.adoc
View File

@ -1,3 +1,5 @@
== Enable HTTP connection for sshd
Starting with Fedora 17, SELinux prevents sshd to initiate connections to remote HTTP ports (80 and 443). In SELinux terms: sshd_t is not allowed to name_connect to http_port_t. This broke YubiKey authentication on a system with SELinux in enforcing mode, unless a custom SELinux policy was written and enabled.
Based on a https://bugzilla.redhat.com/show_bug.cgi?id=841693[bugreport] in Red Hat Bugzilla, a boolean was added to the SELinux policy for Fedora 18 and up, that can be toggled to allow sshd (and some other SELinux types) to connect to remote HTTP ports.
@ -9,3 +11,13 @@ To make a long story short, if you want to use a YubiKey on a system running Fed
If you are using your own server via `urllist`/`url` in the pam conf file and using a non-standard http port, you will need to add that port to the `http_port_t` port list. For example, port `12345`:
semanage port -a -t http_port_t -p tcp 12345
== Enable debug_file support for sshd
By default, SELinux prevents sshd from opening local files other than SSH configuration files. If you would like to debug this module using `debug` and `debug_file` parameters, you may need to temporarily relax your SELinux confinement:
setenforce permissive
Don't forget to re-enable SELinux once you're done:
setenforce enforcing