rooty/yubico-pam
1
0
Fork 0
mirror of https://github.com/Yubico/yubico-pam.git synced 2025-02-21 15:54:41 +01:00
Code Issues Projects Releases Wiki Activity

Update Yubikey_and_SSH_via_PAM.adoc

Browse Source
This commit is contained in:
Henrik Stråth 2014-10-29 16:40:16 +01:00
parent 22d4c290e7
commit ccaa679f48
1 changed files with 23 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
doc/Yubikey_and_SSH_via_PAM.adoc
View File

@ -64,7 +64,7 @@ this file. However, presently there is no logic coded to detect or prevent use
of same Yubikey ID for multiple users. of same Yubikey ID for multiple users.
Each record in the file should begin on a new line. The parameters in each Each record in the file should begin on a new line. The parameters in each
record are separated by “:” character similar to /etc/passwd. record are separated by `:` character similar to `/etc/passwd`.
The contents of this file are as follows: The contents of this file are as follows:
@ -85,11 +85,11 @@ Yubico PAM module for SSH authentication.
====== Configuration of modified pam_yubico.so module at administrative level ====== ====== Configuration of modified pam_yubico.so module at administrative level ======
Append the following line to the beginning of /etc/pam.d/sshd file: Append the following line to the beginning of the `/etc/pam.d/sshd` file:
auth required pam_yubico.so id=16 debug authfile=/path/to/mapping/file auth required pam_yubico.so id=16 debug authfile=/path/to/mapping/file
Make sure you set id=16 to the correct API-id for the yubico validation server. Make sure you set `id=16` to the correct API-id for the yubico validation server.
After the above configuration changes, whenever a user connects to the server After the above configuration changes, whenever a user connects to the server
using any ssh client, the PAM authentication interface will pass the control to using any ssh client, the PAM authentication interface will pass the control to
@ -108,13 +108,13 @@ authentication server, a success code is returned.
In User level, individual users have the ability to configure yubikey token In User level, individual users have the ability to configure yubikey token
ID assigned to them. Users can achieve this by creating a new file ID assigned to them. Users can achieve this by creating a new file
".yubico/authorized_yubikeys" inside their home directories that contains `.yubico/authorized_yubikeys` inside their home directories that contains
information about the username and the corresponding IDs of Yubikey(s) assigned information about the username and the corresponding IDs of Yubikey(s) assigned
to them. A user can be assigned multiple Yubikeys and the multi key mapping is to them. A user can be assigned multiple Yubikeys and the multi key mapping is
supported by this file. supported by this file.
This file must contain only one record. The parameters in the record are This file must contain only one record. The parameters in the record are
separated by “:” character similar to /etc/passwd. The contents of this file separated by `:` character similar to `/etc/passwd`. The contents of this file
are as shown below: are as shown below:
<user name>:<yubikey token ID>:<yubikey token ID>: …. <user name>:<yubikey token ID>:<yubikey token ID>: ….
@ -124,21 +124,21 @@ e.g.
paul:indvnvlcbdre:ldvglinuddek paul:indvnvlcbdre:ldvglinuddek
The .yubico/authorized_yubikeys file must be created/updated manually and must The `.yubico/authorized_yubikeys` file must be created/updated manually and must
be placed inside user's home directory before configuration of Yubico PAM be placed inside user's home directory before configuration of Yubico PAM
module for SSH authentication. module for SSH authentication.
====== Configuration of modified pam_yubico.so module at user level ====== ====== Configuration of modified pam_yubico.so module at user level ======
Append the following line to the beginning of /etc/pam.d/sshd file: Append the following line to the beginning of the `/etc/pam.d/sshd` file:
auth required pam_yubico.so id=16 debug auth required pam_yubico.so id=16 debug
After the above configuration changes, whenever a user connects to the server After the above configuration changes, whenever a user connects to the server
using any SSH client, the PAM authentication interface will pass the control using any SSH client, the PAM authentication interface will pass the control
to Yubico PAM module. The Yubico PAM module first verifies the username with to Yubico PAM module. The Yubico PAM module first verifies the username with
corresponding Yubikey token id as configured in the .yubico/authorized_yubikeys corresponding Yubikey token id as configured in the `.yubico/authorized_yubikeys`
file that present in the user's home directory who is trying to assess server file that present in the user's home directory who is trying to assess server
through SSH. If valid, the Yubico PAM module extracts the OTP string and sends through SSH. If valid, the Yubico PAM module extracts the OTP string and sends
it to the Yubico authentication server or else it reports failure. After it to the Yubico authentication server or else it reports failure. After
@ -168,27 +168,27 @@ response passwords. Change `challenge-response passwords yes` to
Test setup for fedora 8 environment is as follows: Test setup for fedora 8 environment is as follows:
* OS Version: Fedora release 8 (Werewolf) OS Version:: Fedora release 8 (Werewolf)
* Kernel Version: Kernel version 2.6.23.1-42.fc8 Kernel Version:: Kernel version 2.6.23.1-42.fc8
* OpenSSH Version : openssh-4.7p1-2.fc8 OpenSSH Version:: openssh-4.7p1-2.fc8
* Yubico PAM Version: pam_yubico-1.7 Yubico PAM Version:: pam_yubico-1.7
==== Fedora 6 ==== ==== Fedora 6 ====
Test setup for fedora 6 environment is as follows: Test setup for fedora 6 environment is as follows:
* OS Version: Fedora Core release 6 (Zod) OS Version:: Fedora Core release 6 (Zod)
* Kernel Version: Kernel version 2.6.18-1.2798.fc6 Kernel Version:: Kernel version 2.6.18-1.2798.fc6
* OpenSSH Version : openssh-4.3p2-10 OpenSSH Version:: openssh-4.3p2-10
* Yubico PAM Version: pam_yubico-1.7 Yubico PAM Version:: pam_yubico-1.7
==== PAM configuration ==== ==== PAM configuration ====
PAM configuration files in our testing environment are as follows: PAM configuration files in our testing environment are as follows:
* /etc/pam.d/sshd:
===== /etc/pam.d/sshd =====
------- -------
auth required pam_yubico.so authfile=/etc/yubikeyid id=16 debug auth required pam_yubico.so authfile=/etc/yubikeyid id=16 debug
auth include system-auth auth include system-auth
@ -201,17 +201,17 @@ session required pam_loginuid.so
------- -------
* /etc/yubikeyid: ===== /etc/yubikeyid =====
------- -------
root:indvnvlcbdre:ldvglinuddek root:indvnvlcbdre:ldvglinuddek
test:ldvglinuddek test:ldvglinuddek
------- -------
* /root/.yubico/authorized_yubikeys: ===== /root/.yubico/authorized_yubikeys =====
------- -------
root:indvnvlcbdre:ldvglinuddek root:indvnvlcbdre:ldvglinuddek
------- -------
Please change PAM configuration settings for SSH as shown above and test the Please change PAM configuration settings for SSH as shown above and test the
@ -221,7 +221,7 @@ configuration.
=== Testing the Configuration === === Testing the Configuration ===
We assume that you have 'root' and 'test' user configured to access SSH on your We assume that you have 'root' and 'test' user configured to access SSH on your
test environment with password “secret” and “pencil” respectively. test environment with password 'secret' and 'pencil' respectively.
Use any standard SSH client for testing (We used SSH command line utility). Use any standard SSH client for testing (We used SSH command line utility).