rooty/yubico-pam
1
0
Fork 0
mirror of https://github.com/Yubico/yubico-pam.git synced 2024-11-29 00:24:11 +01:00
Code Issues Projects Releases Wiki Activity

Remove double space after periods

Browse Source
This commit is contained in:
Karol Babioch 2018-05-04 10:45:52 +02:00
parent fa3833b0a0
commit b9aaee97ab
13 changed files with 34 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
NEWS
View File

@ -170,7 +170,7 @@ Reported and patched by Nanakos Chrysostomos <nanakos@wired-net.gr>.
* Version 2.7 (released 2011-06-07) * Version 2.7 (released 2011-06-07)
** Make dependency on libykpers optional. ** Make dependency on libykpers optional.
Use --without-cr to force it. Reported by Jussi Sallinen <jussi@jus.si>. Use --without-cr to force it. Reported by Jussi Sallinen <jussi@jus.si>.
* Version 2.6 (released 2011-04-11) * Version 2.6 (released 2011-04-11)
@ -200,7 +200,7 @@ fraser.scott@gmail.com.
* Version 2.5 (released 2010-09-10) * Version 2.5 (released 2010-09-10)
** Wiki articles are now inclded in the archive. Same license as code. ** Wiki articles are now inclded in the archive. Same license as code.
Reported by dmitrij.ledkov in Issue #30: Reported by dmitrij.ledkov in Issue #30:
<http://code.google.com/p/yubico-pam/issues/detail?id=30>. <http://code.google.com/p/yubico-pam/issues/detail?id=30>.
@ -229,7 +229,7 @@ Reported by multiple people in Issue #11:
** New keyword "ldap_uri" added. ** New keyword "ldap_uri" added.
This keyword is preferred over the old "ldapserver" keyword, and This keyword is preferred over the old "ldapserver" keyword, and
allows you to specify a complete LDAP URI instead of only the hostname allows you to specify a complete LDAP URI instead of only the hostname
of your LDAP server. Contributed by Zubrick. of your LDAP server. Contributed by Zubrick.
** Improved README. ** Improved README.
Contributed by Erinn Looney-Triggs <erinn.looneytriggs@gmail.com>. Contributed by Erinn Looney-Triggs <erinn.looneytriggs@gmail.com>.
@ -259,7 +259,7 @@ See <http://code.google.com/p/yubico-c-client/>.
Earlier string handling may have been incorrect for short strings. Earlier string handling may have been incorrect for short strings.
** Don't pass integers via pam_set_data/pam_get_data. ** Don't pass integers via pam_set_data/pam_get_data.
May solve problems on 64-bit platforms. Based on patch from May solve problems on 64-bit platforms. Based on patch from
forum.yubico.com. forum.yubico.com.
* Version 1.12 (released 2009-03-24) * Version 1.12 (released 2009-03-24)

14
README
View File

@ -2,7 +2,7 @@
image:https://travis-ci.org/Yubico/yubico-pam.svg?branch=master["Build Status", link="https://travis-ci.org/Yubico/yubico-pam"] image:https://travis-ci.org/Yubico/yubico-pam.svg?branch=master["Build Status", link="https://travis-ci.org/Yubico/yubico-pam"]
The Yubico PAM module provides an easy way to integrate the YubiKey The Yubico PAM module provides an easy way to integrate the YubiKey
into your existing user authentication infrastructure. PAM is used by into your existing user authentication infrastructure. PAM is used by
GNU/Linux, Solaris and Mac OS X for user authentication, and by other GNU/Linux, Solaris and Mac OS X for user authentication, and by other
specialized applications such as NCSA MyProxy. specialized applications such as NCSA MyProxy.
@ -23,8 +23,8 @@ this dependency.
The development community is co-ordinated via The development community is co-ordinated via
https://github.com/Yubico/yubico-pam[the GitHub project page]. https://github.com/Yubico/yubico-pam[the GitHub project page].
The project is licensed under a BSD license. See the file COPYING for The project is licensed under a BSD license. See the file COPYING for
exact wording. For any copyright year range specified as YYYY-ZZZZ in exact wording. For any copyright year range specified as YYYY-ZZZZ in
this package note that the range specifies every single year in that this package note that the range specifies every single year in that
closed interval. closed interval.
@ -213,13 +213,13 @@ verbose_otp::
authentication because that will display your password on the authentication because that will display your password on the
screen. screen.
This requires the service using the PAM module to This requires the service using the PAM module to
display custom fields. This option can not be used with OpenSSH. display custom fields. This option can not be used with OpenSSH.
ldap_uri:: specify the LDAP server URI (e.g. ldap://localhost). ldap_uri:: specify the LDAP server URI (e.g. ldap://localhost).
ldapserver:: ldapserver::
specify the LDAP server host (default LDAP port is used). specify the LDAP server host (default LDAP port is used).
_Deprecated. Use "ldap_uri" instead._ _Deprecated. Use "ldap_uri" instead._
ldapdn:: ldapdn::
specify the dn where the users are stored specify the dn where the users are stored
@ -316,9 +316,9 @@ This is much the same concept as the SSH authorized_keys file.
Obtaining the YubiKey token ID (a.k.a. public ID) Obtaining the YubiKey token ID (a.k.a. public ID)
------------------------------------------------- -------------------------------------------------
You can obtain the YubiKey token ID in several ways. One is by You can obtain the YubiKey token ID in several ways. One is by
removing the last 32 characters of any OTP (One Time Password) removing the last 32 characters of any OTP (One Time Password)
generated with your YubiKey. Another is by using the generated with your YubiKey. Another is by using the
http://demo.yubico.com/php-yubico/Modhex_Calculator.php[modhex calculator]. http://demo.yubico.com/php-yubico/Modhex_Calculator.php[modhex calculator].
Enter your YubiKey OTP and convert it, your YubiKey token ID is 12 Enter your YubiKey OTP and convert it, your YubiKey token ID is 12

2
build-aux/config.rpath
View File

@ -176,7 +176,7 @@ if test "$with_gnu_ld" = yes; then
# Samuel A. Falvo II <kc5tja@dolphin.openprojects.net> reports # Samuel A. Falvo II <kc5tja@dolphin.openprojects.net> reports
# that the semantics of dynamic libraries on AmigaOS, at least up # that the semantics of dynamic libraries on AmigaOS, at least up
# to version 4, is to share data among multiple programs linked # to version 4, is to share data among multiple programs linked
# with the same dynamic library. Since this doesn't match the # with the same dynamic library. Since this doesn't match the
# behavior of shared libraries on other platforms, we cannot use # behavior of shared libraries on other platforms, we cannot use
# them. # them.
ld_shlibs=no ld_shlibs=no

12
doc/Authentication_Using_Challenge-Response.adoc
View File

@ -14,7 +14,7 @@ for a YubiKey with serial number API readout enabled, and
The PAM module supports a system-wide directory for these state files The PAM module supports a system-wide directory for these state files
(in case the user's home directories are encrypted), but in a system-wide (in case the user's home directories are encrypted), but in a system-wide
directory, the 'challenge' part should be replaced with the directory, the 'challenge' part should be replaced with the
username. Example: `/var/yubico/alice-123456`. username. Example: `/var/yubico/alice-123456`.
To use the system-wide mode, you currently have to move the generated To use the system-wide mode, you currently have to move the generated
state files manually and configure the PAM module accordingly. state files manually and configure the PAM module accordingly.
@ -27,14 +27,14 @@ First install the package:
$ sudo apt-get install libpam-yubico $ sudo apt-get install libpam-yubico
------ ------
You will get a question about the PAM configuration line. Enter this You will get a question about the PAM configuration line. Enter this
line: line:
------ ------
mode=challenge-response mode=challenge-response
------ ------
The next question will be about which PAM modules to enable. Don't The next question will be about which PAM modules to enable. Don't
enable anything just yet, because you need to program your YubiKey enable anything just yet, because you need to program your YubiKey
first. first.
@ -45,9 +45,9 @@ you may use this command:
$ sudo dpkg-reconfigure libpam-yubico $ sudo dpkg-reconfigure libpam-yubico
------ ------
The next step is to add a challenge-response slot to your YubiKey. If The next step is to add a challenge-response slot to your YubiKey. If
you have a normal YubiKey with OTP functionality on the first slot, you have a normal YubiKey with OTP functionality on the first slot,
you could add Challenge-Response on the second slot. You could have you could add Challenge-Response on the second slot. You could have
CR on the first slot, if you want. CR on the first slot, if you want.
First, program a YubiKey for challenge response on Slot 2: First, program a YubiKey for challenge response on Slot 2:
@ -126,7 +126,7 @@ and then create a log file:
# chmod go+w /var/run/pam-debug.log # chmod go+w /var/run/pam-debug.log
---- ----
and then tail the file. For successful logins it should print and then tail the file. For successful logins it should print
something like this: something like this:
---- ----

8
doc/Two_Factor_PAM_Configuration.adoc
View File

@ -1,5 +1,5 @@
PAM configuration is somewhat complex, but a typical use-case is to PAM configuration is somewhat complex, but a typical use-case is to
require both a password and YubiKey to allow access. This can be require both a password and YubiKey to allow access. This can be
achieved by a PAM configuration like this: achieved by a PAM configuration like this:
---- ----
@ -7,7 +7,7 @@ auth requisite pam_yubico.so id=42
auth required pam_unix.so use_first_pass auth required pam_unix.so use_first_pass
---- ----
The first line makes pam_yubico check the OTP. Use either a per-user The first line makes pam_yubico check the OTP. Use either a per-user
file called `~/.yubico/authorized_yubikeys`, or a system-wide file called file called `~/.yubico/authorized_yubikeys`, or a system-wide file called
`/etc/yubikey_mappings` to specify which YubiKeys that can be used to log `/etc/yubikey_mappings` to specify which YubiKeys that can be used to log
in as specific users. See https://developers.yubico.com/yubico-pam[the README] in as specific users. See https://developers.yubico.com/yubico-pam[the README]
@ -18,12 +18,12 @@ module should check should be received from the earlier PAM modules
and that the module should not query for passwords. and that the module should not query for passwords.
Of course, if you use username/password verification from a SQL Of course, if you use username/password verification from a SQL
database or LDAP, you need to change the second line above. But the database or LDAP, you need to change the second line above. But the
module you use needs to support 'use_first_pass' for this to work. module you use needs to support 'use_first_pass' for this to work.
Most modules support this. Most modules support this.
Be sure to comment out any other 'auth' lines in your PAM configuration, Be sure to comment out any other 'auth' lines in your PAM configuration,
unless you want those. For example, Debian contains a unless you want those. For example, Debian contains a
'@include common-auth' which would confuse the configuration. '@include common-auth' which would confuse the configuration.
To log in, you now need to enter both your Unix password and enter an To log in, you now need to enter both your Unix password and enter an

2
doc/Ubuntu_FreeRadius_YubiKey.adoc
View File

@ -57,7 +57,7 @@ Install FreeRadius:
/etc/init.d/freeradius stop /etc/init.d/freeradius stop
------ ------
Next we configure FreeRadius. First add this to /etc/freeradius/users: Next we configure FreeRadius. First add this to /etc/freeradius/users:
------ ------
DEFAULT Auth-Type = pam DEFAULT Auth-Type = pam

6
doc/YubiKey_and_Radius_via_PAM.adoc
View File

@ -6,7 +6,7 @@ The purpose of this page is to collect all information needed to set up a Radius
Details Details
------- -------
We currently use FreeRadius. The paths below may be specific to Debian's packages, please update this if you have paths for other systems. We currently use FreeRadius. The paths below may be specific to Debian's packages, please update this if you have paths for other systems.
Build pam_yubico and install FreeRadius Build pam_yubico and install FreeRadius
--------------------------------------- ---------------------------------------
@ -39,7 +39,7 @@ In /etc/freeradius/radiusd.conf, check that 'pam' is uncommented in the 'authent
Configure PAM for the Radius server Configure PAM for the Radius server
----------------------------------- -----------------------------------
The PAM service is 'radiusd', and the configuration file is stored in /etc/pam.d/radiusd. Add something like: The PAM service is 'radiusd', and the configuration file is stored in /etc/pam.d/radiusd. Add something like:
auth sufficient pam_yubico.so id=16 debug auth sufficient pam_yubico.so id=16 debug
@ -55,4 +55,4 @@ Then invoke a test client as follows:
$ radtest yubico vlrlcingbbkrctguicnijbegfjhrdhccefdthcuifkgr 127.0.0.1 0 pencil $ radtest yubico vlrlcingbbkrctguicnijbegfjhrdhccefdthcuifkgr 127.0.0.1 0 pencil
If you get errors about non-existing user, you may need to create a Unix user 'yubico'. Whether this should be needed or not depends on PAM configuration. If you get errors about non-existing user, you may need to create a Unix user 'yubico'. Whether this should be needed or not depends on PAM configuration.

6
doc/YubiKey_and_SSH_via_PAM.adoc
View File

@ -94,11 +94,11 @@ Make sure you set `id=16` to the correct API-id for the yubico validation server
After the above configuration changes, whenever a user connects to the server After the above configuration changes, whenever a user connects to the server
using any ssh client, the PAM authentication interface will pass the control to using any ssh client, the PAM authentication interface will pass the control to
Yubico PAM module. The Yubico PAM module first checks the presence of authfile Yubico PAM module. The Yubico PAM module first checks the presence of authfile
argument in PAM configuration. If authfile argument is present, it parses the argument in PAM configuration. If authfile argument is present, it parses the
corresponding mapping file and verifies the username with corresponding corresponding mapping file and verifies the username with corresponding
YubiKey token id as configured in the mapping file. If valid, the Yubico PAM YubiKey token id as configured in the mapping file. If valid, the Yubico PAM
module extracts the OTP string and sends it to the Yubico authentication server module extracts the OTP string and sends it to the Yubico authentication server
or else it reports failure. If authfile argument is present but the mapping or else it reports failure. If authfile argument is present but the mapping
file is not present at the provided path PAM module reports failure. After file is not present at the provided path PAM module reports failure. After
successful verification of OTP Yubico PAM module from the Yubico successful verification of OTP Yubico PAM module from the Yubico
authentication server, a success code is returned. authentication server, a success code is returned.
@ -223,7 +223,7 @@ configuration.
We assume that you have 'root' and 'test' user configured to access SSH on your We assume that you have 'root' and 'test' user configured to access SSH on your
test environment with password 'secret' and 'pencil' respectively. test environment with password 'secret' and 'pencil' respectively.
Use any standard SSH client for testing (We used SSH command line utility). Use any standard SSH client for testing (We used SSH command line utility).
Try to login to server with SSH client as configured user: Try to login to server with SSH client as configured user:

2
m4/lib-ld.m4
View File

@ -84,7 +84,7 @@ AC_CACHE_VAL([acl_cv_path_LD],
test -z "$ac_dir" && ac_dir=. test -z "$ac_dir" && ac_dir=.
if test -f "$ac_dir/$ac_prog" || test -f "$ac_dir/$ac_prog$ac_exeext"; then if test -f "$ac_dir/$ac_prog" || test -f "$ac_dir/$ac_prog$ac_exeext"; then
acl_cv_path_LD="$ac_dir/$ac_prog" acl_cv_path_LD="$ac_dir/$ac_prog"
# Check to see if the program is GNU ld. I'd rather use --version, # Check to see if the program is GNU ld. I'd rather use --version,
# but apparently some GNU ld's only accept -v. # but apparently some GNU ld's only accept -v.
# Break only if it was the GNU/non-GNU ld that we prefer. # Break only if it was the GNU/non-GNU ld that we prefer.
case `"$acl_cv_path_LD" -v 2>&1 < /dev/null` in case `"$acl_cv_path_LD" -v 2>&1 < /dev/null` in

2
m4/manywarnings.m4
View File

@ -9,7 +9,7 @@ dnl From Simon Josefsson
# gl_MANYWARN_COMPLEMENT(OUTVAR, LISTVAR, REMOVEVAR) # gl_MANYWARN_COMPLEMENT(OUTVAR, LISTVAR, REMOVEVAR)
# -------------------------------------------------- # --------------------------------------------------
# Copy LISTVAR to OUTVAR except for the entries in REMOVEVAR. # Copy LISTVAR to OUTVAR except for the entries in REMOVEVAR.
# Elements separated by whitespace. In set logic terms, the function # Elements separated by whitespace. In set logic terms, the function
# does OUTVAR = LISTVAR \ REMOVEVAR. # does OUTVAR = LISTVAR \ REMOVEVAR.
AC_DEFUN([gl_MANYWARN_COMPLEMENT], AC_DEFUN([gl_MANYWARN_COMPLEMENT],
[ [

2
m4/warnings.m4
View File

@ -43,7 +43,7 @@ AS_VAR_POPDEF([gl_Warn])dnl
# [PROGRAM = AC_LANG_PROGRAM()]) # [PROGRAM = AC_LANG_PROGRAM()])
# --------------------------------------------- # ---------------------------------------------
# Adds parameter to WARN_CFLAGS if the compiler supports it when # Adds parameter to WARN_CFLAGS if the compiler supports it when
# compiling PROGRAM. For example, gl_WARN_ADD([-Wparentheses]). # compiling PROGRAM. For example, gl_WARN_ADD([-Wparentheses]).
# #
# If VARIABLE is a variable name, AC_SUBST it. # If VARIABLE is a variable name, AC_SUBST it.
AC_DEFUN([gl_WARN_ADD], AC_DEFUN([gl_WARN_ADD],

2
pam_yubico.8.txt
View File

@ -69,7 +69,7 @@ Show the One-Time Password when it is entered, i.e. to enable terminal echo of e
The LDAP server URI (e.g. ldap://localhost). The LDAP server URI (e.g. ldap://localhost).
*ldap_server*=_server_:: *ldap_server*=_server_::
The LDAP server host (default LDAP port is used). *Deprecated. Use 'ldap_uri' instead.* The LDAP server host (default LDAP port is used). *Deprecated. Use 'ldap_uri' instead.*
*ldapdn*=_dn_:: *ldapdn*=_dn_::
The distinguished name (DN) where the users are stored (eg: ou=users,dc=domain,dc=com). If 'ldap_filter' is used this is the base from which the subtree search will be performed. The distinguished name (DN) where the users are stored (eg: ou=users,dc=domain,dc=com). If 'ldap_filter' is used this is the base from which the subtree search will be performed.

2
pam_yubico.c
View File

@ -284,7 +284,7 @@ authorize_user_token_ldap (struct cfg *cfg,
ldap_set_option (ld, LDAP_OPT_PROTOCOL_VERSION, &protocol); ldap_set_option (ld, LDAP_OPT_PROTOCOL_VERSION, &protocol);
if (cfg->ldap_uri && cfg->ldap_cacertfile) { if (cfg->ldap_uri && cfg->ldap_cacertfile) {
/* Set CA CERTFILE. This makes ldaps work when using ldap_uri */ /* Set CA CERTFILE. This makes ldaps work when using ldap_uri */
ldap_set_option (0, LDAP_OPT_X_TLS_CACERTFILE, cfg->ldap_cacertfile); ldap_set_option (0, LDAP_OPT_X_TLS_CACERTFILE, cfg->ldap_cacertfile);
} }
/* Bind anonymously to the LDAP server. */ /* Bind anonymously to the LDAP server. */