rooty/yubico-pam
1
0
Fork 0
mirror of https://github.com/Yubico/yubico-pam.git synced 2025-02-20 21:54:16 +01:00
Code Issues Projects Releases Wiki Activity

Update Yubikey_and_SSH_via_PAM.adoc

Browse Source
This commit is contained in:
Henrik Stråth 2014-10-29 16:40:16 +01:00
parent 22d4c290e7
commit ccaa679f48
1 changed files with 23 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
doc/Yubikey_and_SSH_via_PAM.adoc
View File

@ -64,7 +64,7 @@ this file. However, presently there is no logic coded to detect or prevent use
of same Yubikey ID for multiple users.
Each record in the file should begin on a new line. The parameters in each
record are separated by “:” character similar to /etc/passwd.
record are separated by `:` character similar to `/etc/passwd`.
The contents of this file are as follows:
@ -85,11 +85,11 @@ Yubico PAM module for SSH authentication.
====== Configuration of modified pam_yubico.so module at administrative level ======
Append the following line to the beginning of /etc/pam.d/sshd file:
Append the following line to the beginning of the `/etc/pam.d/sshd` file:
auth required pam_yubico.so id=16 debug authfile=/path/to/mapping/file
Make sure you set id=16 to the correct API-id for the yubico validation server.
Make sure you set `id=16` to the correct API-id for the yubico validation server.
After the above configuration changes, whenever a user connects to the server
using any ssh client, the PAM authentication interface will pass the control to
@ -108,13 +108,13 @@ authentication server, a success code is returned.
In User level, individual users have the ability to configure yubikey token
ID assigned to them. Users can achieve this by creating a new file
".yubico/authorized_yubikeys" inside their home directories that contains
`.yubico/authorized_yubikeys` inside their home directories that contains
information about the username and the corresponding IDs of Yubikey(s) assigned
to them. A user can be assigned multiple Yubikeys and the multi key mapping is
supported by this file.
This file must contain only one record. The parameters in the record are
separated by “:” character similar to /etc/passwd. The contents of this file
separated by `:` character similar to `/etc/passwd`. The contents of this file
are as shown below:
<user name>:<yubikey token ID>:<yubikey token ID>: ….
@ -124,21 +124,21 @@ e.g.
paul:indvnvlcbdre:ldvglinuddek
The .yubico/authorized_yubikeys file must be created/updated manually and must
The `.yubico/authorized_yubikeys` file must be created/updated manually and must
be placed inside user's home directory before configuration of Yubico PAM
module for SSH authentication.
====== Configuration of modified pam_yubico.so module at user level ======
Append the following line to the beginning of /etc/pam.d/sshd file:
Append the following line to the beginning of the `/etc/pam.d/sshd` file:
auth required pam_yubico.so id=16 debug
After the above configuration changes, whenever a user connects to the server
using any SSH client, the PAM authentication interface will pass the control
to Yubico PAM module. The Yubico PAM module first verifies the username with
corresponding Yubikey token id as configured in the .yubico/authorized_yubikeys
corresponding Yubikey token id as configured in the `.yubico/authorized_yubikeys`
file that present in the user's home directory who is trying to assess server
through SSH. If valid, the Yubico PAM module extracts the OTP string and sends
it to the Yubico authentication server or else it reports failure. After
@ -168,27 +168,27 @@ response passwords. Change `challenge-response passwords yes` to
Test setup for fedora 8 environment is as follows:
* OS Version: Fedora release 8 (Werewolf)
* Kernel Version: Kernel version 2.6.23.1-42.fc8
* OpenSSH Version : openssh-4.7p1-2.fc8
* Yubico PAM Version: pam_yubico-1.7
OS Version:: Fedora release 8 (Werewolf)
Kernel Version:: Kernel version 2.6.23.1-42.fc8
OpenSSH Version:: openssh-4.7p1-2.fc8
Yubico PAM Version:: pam_yubico-1.7
==== Fedora 6 ====
Test setup for fedora 6 environment is as follows:
* OS Version: Fedora Core release 6 (Zod)
* Kernel Version: Kernel version 2.6.18-1.2798.fc6
* OpenSSH Version : openssh-4.3p2-10
* Yubico PAM Version: pam_yubico-1.7
OS Version:: Fedora Core release 6 (Zod)
Kernel Version:: Kernel version 2.6.18-1.2798.fc6
OpenSSH Version:: openssh-4.3p2-10
Yubico PAM Version:: pam_yubico-1.7
==== PAM configuration ====
PAM configuration files in our testing environment are as follows:
* /etc/pam.d/sshd:
===== /etc/pam.d/sshd =====
-------
auth required pam_yubico.so authfile=/etc/yubikeyid id=16 debug
auth include system-auth
@ -201,17 +201,17 @@ session required pam_loginuid.so
-------
* /etc/yubikeyid:
===== /etc/yubikeyid =====
-------
root:indvnvlcbdre:ldvglinuddek
test:ldvglinuddek
root:indvnvlcbdre:ldvglinuddek
test:ldvglinuddek
-------
* /root/.yubico/authorized_yubikeys:
===== /root/.yubico/authorized_yubikeys =====
-------
root:indvnvlcbdre:ldvglinuddek
root:indvnvlcbdre:ldvglinuddek
-------
Please change PAM configuration settings for SSH as shown above and test the
@ -221,7 +221,7 @@ configuration.
=== Testing the Configuration ===
We assume that you have 'root' and 'test' user configured to access SSH on your
test environment with password “secret” and “pencil” respectively.
test environment with password 'secret' and 'pencil' respectively.
Use any standard SSH client for testing (We used SSH command line utility).