mirror of
https://github.com/Yubico/yubico-pam.git
synced 2025-02-20 21:54:16 +01:00
Update Yubikey_and_SSH_via_PAM.adoc
This commit is contained in:
parent
22d4c290e7
commit
ccaa679f48
@ -64,7 +64,7 @@ this file. However, presently there is no logic coded to detect or prevent use
|
||||
of same Yubikey ID for multiple users.
|
||||
|
||||
Each record in the file should begin on a new line. The parameters in each
|
||||
record are separated by “:” character similar to /etc/passwd.
|
||||
record are separated by `:` character similar to `/etc/passwd`.
|
||||
|
||||
The contents of this file are as follows:
|
||||
|
||||
@ -85,11 +85,11 @@ Yubico PAM module for SSH authentication.
|
||||
|
||||
====== Configuration of modified pam_yubico.so module at administrative level ======
|
||||
|
||||
Append the following line to the beginning of /etc/pam.d/sshd file:
|
||||
Append the following line to the beginning of the `/etc/pam.d/sshd` file:
|
||||
|
||||
auth required pam_yubico.so id=16 debug authfile=/path/to/mapping/file
|
||||
|
||||
Make sure you set id=16 to the correct API-id for the yubico validation server.
|
||||
Make sure you set `id=16` to the correct API-id for the yubico validation server.
|
||||
|
||||
After the above configuration changes, whenever a user connects to the server
|
||||
using any ssh client, the PAM authentication interface will pass the control to
|
||||
@ -108,13 +108,13 @@ authentication server, a success code is returned.
|
||||
|
||||
In User level, individual users have the ability to configure yubikey token
|
||||
ID assigned to them. Users can achieve this by creating a new file
|
||||
".yubico/authorized_yubikeys" inside their home directories that contains
|
||||
`.yubico/authorized_yubikeys` inside their home directories that contains
|
||||
information about the username and the corresponding IDs of Yubikey(s) assigned
|
||||
to them. A user can be assigned multiple Yubikeys and the multi key mapping is
|
||||
supported by this file.
|
||||
|
||||
This file must contain only one record. The parameters in the record are
|
||||
separated by “:” character similar to /etc/passwd. The contents of this file
|
||||
separated by `:` character similar to `/etc/passwd`. The contents of this file
|
||||
are as shown below:
|
||||
|
||||
<user name>:<yubikey token ID>:<yubikey token ID>: ….
|
||||
@ -124,21 +124,21 @@ e.g.
|
||||
paul:indvnvlcbdre:ldvglinuddek
|
||||
|
||||
|
||||
The .yubico/authorized_yubikeys file must be created/updated manually and must
|
||||
The `.yubico/authorized_yubikeys` file must be created/updated manually and must
|
||||
be placed inside user's home directory before configuration of Yubico PAM
|
||||
module for SSH authentication.
|
||||
|
||||
|
||||
====== Configuration of modified pam_yubico.so module at user level ======
|
||||
|
||||
Append the following line to the beginning of /etc/pam.d/sshd file:
|
||||
Append the following line to the beginning of the `/etc/pam.d/sshd` file:
|
||||
|
||||
auth required pam_yubico.so id=16 debug
|
||||
|
||||
After the above configuration changes, whenever a user connects to the server
|
||||
using any SSH client, the PAM authentication interface will pass the control
|
||||
to Yubico PAM module. The Yubico PAM module first verifies the username with
|
||||
corresponding Yubikey token id as configured in the .yubico/authorized_yubikeys
|
||||
corresponding Yubikey token id as configured in the `.yubico/authorized_yubikeys`
|
||||
file that present in the user's home directory who is trying to assess server
|
||||
through SSH. If valid, the Yubico PAM module extracts the OTP string and sends
|
||||
it to the Yubico authentication server or else it reports failure. After
|
||||
@ -168,27 +168,27 @@ response passwords. Change `challenge-response passwords yes` to
|
||||
|
||||
Test setup for fedora 8 environment is as follows:
|
||||
|
||||
* OS Version: Fedora release 8 (Werewolf)
|
||||
* Kernel Version: Kernel version 2.6.23.1-42.fc8
|
||||
* OpenSSH Version : openssh-4.7p1-2.fc8
|
||||
* Yubico PAM Version: pam_yubico-1.7
|
||||
OS Version:: Fedora release 8 (Werewolf)
|
||||
Kernel Version:: Kernel version 2.6.23.1-42.fc8
|
||||
OpenSSH Version:: openssh-4.7p1-2.fc8
|
||||
Yubico PAM Version:: pam_yubico-1.7
|
||||
|
||||
==== Fedora 6 ====
|
||||
|
||||
Test setup for fedora 6 environment is as follows:
|
||||
|
||||
* OS Version: Fedora Core release 6 (Zod)
|
||||
* Kernel Version: Kernel version 2.6.18-1.2798.fc6
|
||||
* OpenSSH Version : openssh-4.3p2-10
|
||||
* Yubico PAM Version: pam_yubico-1.7
|
||||
OS Version:: Fedora Core release 6 (Zod)
|
||||
Kernel Version:: Kernel version 2.6.18-1.2798.fc6
|
||||
OpenSSH Version:: openssh-4.3p2-10
|
||||
Yubico PAM Version:: pam_yubico-1.7
|
||||
|
||||
|
||||
==== PAM configuration ====
|
||||
|
||||
PAM configuration files in our testing environment are as follows:
|
||||
|
||||
* /etc/pam.d/sshd:
|
||||
|
||||
===== /etc/pam.d/sshd =====
|
||||
-------
|
||||
auth required pam_yubico.so authfile=/etc/yubikeyid id=16 debug
|
||||
auth include system-auth
|
||||
@ -201,17 +201,17 @@ session required pam_loginuid.so
|
||||
-------
|
||||
|
||||
|
||||
* /etc/yubikeyid:
|
||||
===== /etc/yubikeyid =====
|
||||
|
||||
-------
|
||||
root:indvnvlcbdre:ldvglinuddek
|
||||
test:ldvglinuddek
|
||||
root:indvnvlcbdre:ldvglinuddek
|
||||
test:ldvglinuddek
|
||||
-------
|
||||
|
||||
* /root/.yubico/authorized_yubikeys:
|
||||
===== /root/.yubico/authorized_yubikeys =====
|
||||
|
||||
-------
|
||||
root:indvnvlcbdre:ldvglinuddek
|
||||
root:indvnvlcbdre:ldvglinuddek
|
||||
-------
|
||||
|
||||
Please change PAM configuration settings for SSH as shown above and test the
|
||||
@ -221,7 +221,7 @@ configuration.
|
||||
=== Testing the Configuration ===
|
||||
|
||||
We assume that you have 'root' and 'test' user configured to access SSH on your
|
||||
test environment with password “secret” and “pencil” respectively.
|
||||
test environment with password 'secret' and 'pencil' respectively.
|
||||
|
||||
Use any standard SSH client for testing (We used SSH command line utility).
|
||||
|
||||
|
Loading…
x
Reference in New Issue
Block a user