rooty/yubico-pam
1
0
Fork 0
mirror of https://github.com/Yubico/yubico-pam.git synced 2025-02-27 06:54:15 +01:00
Code Issues Projects Releases Wiki Activity

Merge branch 'pr-196'

Browse Source
This commit is contained in:
Klas Lindfors 2019-07-01 08:35:04 +02:00
commit b5bd00db81
No known key found for this signature in database
GPG Key ID: BCA00FD4B2168C0A
2 changed files with 13 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Makefile.am
View File

@ -66,7 +66,7 @@ dist_man8_MANS = pam_yubico.8
DISTCLEANFILES = $(dist_man1_MANS) $(dist_man8_MANS) DISTCLEANFILES = $(dist_man1_MANS) $(dist_man8_MANS)
MANSOURCES = pam_yubico.8.txt ykpamcfg.1.txt MANSOURCES = pam_yubico.8.txt ykpamcfg.1.txt
EXTRA_DIST = doc/Authentication_Using_Challenge-Response.adoc doc/MacOS_X_Challenge-Response.adoc doc/Two_Factor_PAM_Configuration.adoc doc/Ubuntu_FreeRadius_YubiKey.adoc doc/YubiKey_and_FreeRADIUS_1FA_via_PAM.adoc doc/YubiKey_and_FreeRADIUS_via_PAM.adoc doc/YubiKey_and_OpenVPN_via_PAM.adoc doc/YubiKey_and_Radius_via_PAM.adoc doc/YubiKey_and_SELinux_on_Fedora_18_and_up.adoc doc/YubiKey_and_SSH_via_PAM.adoc EXTRA_DIST = doc/Authentication_Using_Challenge-Response.adoc doc/MacOS_X_Challenge-Response.adoc doc/Two_Factor_PAM_Configuration.adoc doc/Ubuntu_FreeRadius_YubiKey.adoc doc/YubiKey_and_FreeRADIUS_1FA_via_PAM.adoc doc/YubiKey_and_FreeRADIUS_via_PAM.adoc doc/YubiKey_and_OpenVPN_via_PAM.adoc doc/YubiKey_and_Radius_via_PAM.adoc doc/YubiKey_and_SELinux.adoc doc/YubiKey_and_SSH_via_PAM.adoc
EXTRA_DIST += $(MANSOURCES) EXTRA_DIST += $(MANSOURCES)
EXTRA_DIST += tests/aux/ykval.pl tests/aux/ldap.pl tests/aux/authfile EXTRA_DIST += tests/aux/ykval.pl tests/aux/ldap.pl tests/aux/authfile

12
doc/YubiKey_and_SELinux_on_Fedora_18_and_up.adoc → doc/YubiKey_and_SELinux.adoc
View File

@ -1,3 +1,5 @@
== Enable HTTP connection for sshd
Starting with Fedora 17, SELinux prevents sshd to initiate connections to remote HTTP ports (80 and 443). In SELinux terms: sshd_t is not allowed to name_connect to http_port_t. This broke YubiKey authentication on a system with SELinux in enforcing mode, unless a custom SELinux policy was written and enabled. Starting with Fedora 17, SELinux prevents sshd to initiate connections to remote HTTP ports (80 and 443). In SELinux terms: sshd_t is not allowed to name_connect to http_port_t. This broke YubiKey authentication on a system with SELinux in enforcing mode, unless a custom SELinux policy was written and enabled.
Based on a https://bugzilla.redhat.com/show_bug.cgi?id=841693[bugreport] in Red Hat Bugzilla, a boolean was added to the SELinux policy for Fedora 18 and up, that can be toggled to allow sshd (and some other SELinux types) to connect to remote HTTP ports. Based on a https://bugzilla.redhat.com/show_bug.cgi?id=841693[bugreport] in Red Hat Bugzilla, a boolean was added to the SELinux policy for Fedora 18 and up, that can be toggled to allow sshd (and some other SELinux types) to connect to remote HTTP ports.
@ -9,3 +11,13 @@ To make a long story short, if you want to use a YubiKey on a system running Fed
If you are using your own server via `urllist`/`url` in the pam conf file and using a non-standard http port, you will need to add that port to the `http_port_t` port list. For example, port `12345`: If you are using your own server via `urllist`/`url` in the pam conf file and using a non-standard http port, you will need to add that port to the `http_port_t` port list. For example, port `12345`:
semanage port -a -t http_port_t -p tcp 12345 semanage port -a -t http_port_t -p tcp 12345
== Enable debug_file support for sshd
By default, SELinux prevents sshd from opening local files other than SSH configuration files. If you would like to debug this module using `debug` and `debug_file` parameters, you may need to temporarily relax your SELinux confinement:
setenforce permissive
Don't forget to re-enable SELinux once you're done:
setenforce enforcing