rooty/yubico-pam
1
0
Fork 0
mirror of https://github.com/Yubico/yubico-pam.git synced 2025-03-16 03:29:17 +01:00
Code Issues Projects Releases Wiki Activity

Fixed adoc error

Browse Source
This commit is contained in:
Henrik Stråth 2014-10-30 11:14:55 +01:00
parent 7eef2deca0
commit d1ab4539e4
1 changed files with 19 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
doc/Yubikey_and_SSH_via_PAM.adoc
View File

@ -1,4 +1,4 @@
=== Introduction === == Introduction ==
The purpose of this document is to guide readers through the configuration The purpose of this document is to guide readers through the configuration
steps to use two factor authentication for SSH using Yubikey. This document steps to use two factor authentication for SSH using Yubikey. This document
@ -6,7 +6,7 @@ assumes that the reader has advanced knowledge and experience in Linux
system administration, particularly for how PAM authentication mechanism is system administration, particularly for how PAM authentication mechanism is
configured on a Linux platform. configured on a Linux platform.
=== Prerequisites === == Prerequisites ==
Successful configuration of the Yubico PAM module to support two factor Successful configuration of the Yubico PAM module to support two factor
authentication requires following prerequisites: authentication requires following prerequisites:
@ -22,7 +22,7 @@ Version 1.5 or later
https://developers.yubico.com/yubico-pam[Yubico PAM Module]:: Version 1.7 or later https://developers.yubico.com/yubico-pam[Yubico PAM Module]:: Version 1.7 or later
=== System Requirements === == System Requirements ==
This document illustrates the configuration steps for Fedora Core 8 This document illustrates the configuration steps for Fedora Core 8
operating system. However, there steps should work on most other Linux operating system. However, there steps should work on most other Linux
@ -37,20 +37,20 @@ for the user and the One-Time Password (OTP) generated by Yubikey assigned
to the user. to the user.
=== Build yubico-c-client and pam_yubico === == Build yubico-c-client and pam_yubico ==
Build instructions for yubico-c-client and pam_yubico are found in their Build instructions for yubico-c-client and pam_yubico are found in their
respective README. respective README.
=== Configuration === == Configuration ==
==== Configuration for user and YubiKey token ID mapping ==== === Configuration for user and YubiKey token ID mapping ===
There are two ways of user and YubiKey token ID mapping. It can be either There are two ways of user and YubiKey token ID mapping. It can be either
done at administrative level or at individual user level. done at administrative level or at individual user level.
===== Administrative Level ===== ==== Administrative Level ====
In Administrative level, system administrators hold right to configure the In Administrative level, system administrators hold right to configure the
user and yubikey token ID mapping. Administrators can achieve this by creating user and yubikey token ID mapping. Administrators can achieve this by creating
@ -83,7 +83,7 @@ kurt:ertbhunjimko
The mapping file must be created/updated manually before configuration of The mapping file must be created/updated manually before configuration of
Yubico PAM module for SSH authentication. Yubico PAM module for SSH authentication.
====== Configuration of modified pam_yubico.so module at administrative level ====== ===== Configuration of modified pam_yubico.so module at administrative level =====
Append the following line to the beginning of the `/etc/pam.d/sshd` file: Append the following line to the beginning of the `/etc/pam.d/sshd` file:
@ -104,7 +104,7 @@ successful verification of OTP Yubico PAM module from the Yubico
authentication server, a success code is returned. authentication server, a success code is returned.
===== User Level ===== ==== User Level ====
In User level, individual users have the ability to configure yubikey token In User level, individual users have the ability to configure yubikey token
ID assigned to them. Users can achieve this by creating a new file ID assigned to them. Users can achieve this by creating a new file
@ -129,7 +129,7 @@ be placed inside user's home directory before configuration of Yubico PAM
module for SSH authentication. module for SSH authentication.
====== Configuration of modified pam_yubico.so module at user level ====== ===== Configuration of modified pam_yubico.so module at user level =====
Append the following line to the beginning of the `/etc/pam.d/sshd` file: Append the following line to the beginning of the `/etc/pam.d/sshd` file:
@ -146,7 +146,7 @@ successful verification of OTP Yubico PAM module from the Yubico authentication
server, a success code is returned. server, a success code is returned.
==== pam_unix.so configuration ==== === pam_unix.so configuration ===
Append _try_first_pass_ parameter to the _pam_unix.so_ module to authenticate Append _try_first_pass_ parameter to the _pam_unix.so_ module to authenticate
the user with password passed from the preceding auth module. the user with password passed from the preceding auth module.
@ -155,16 +155,16 @@ The _pam_unix.so_ module used for authentication is generally located into
`/etc/pam.d/system-auth` for RedHat based Linux system and into `/etc/pam.d/system-auth` for RedHat based Linux system and into
`/etc/pam.d/common-auth` for Debian based Linux systems. `/etc/pam.d/common-auth` for Debian based Linux systems.
==== SSH configuration ==== === SSH configuration ===
Edit the sshd configuration file `/etc/ssh/sshd_config`_ to disable challenge- Edit the sshd configuration file `/etc/ssh/sshd_config`_ to disable challenge-
response passwords. Change `challenge-response passwords yes` to response passwords. Change `challenge-response passwords yes` to
`challenge-response passwords no`. `challenge-response passwords no`.
=== Test Setup === == Test Setup ==
==== Fedora 8 ==== === Fedora 8 ===
Test setup for fedora 8 environment is as follows: Test setup for fedora 8 environment is as follows:
@ -173,7 +173,7 @@ Kernel Version:: Kernel version 2.6.23.1-42.fc8
OpenSSH Version:: openssh-4.7p1-2.fc8 OpenSSH Version:: openssh-4.7p1-2.fc8
Yubico PAM Version:: pam_yubico-1.7 Yubico PAM Version:: pam_yubico-1.7
==== Fedora 6 ==== === Fedora 6 ===
Test setup for fedora 6 environment is as follows: Test setup for fedora 6 environment is as follows:
@ -183,12 +183,12 @@ OpenSSH Version:: openssh-4.3p2-10
Yubico PAM Version:: pam_yubico-1.7 Yubico PAM Version:: pam_yubico-1.7
==== PAM configuration ==== === PAM configuration ===
PAM configuration files in our testing environment are as follows: PAM configuration files in our testing environment are as follows:
===== /etc/pam.d/sshd ===== ==== /etc/pam.d/sshd ====
------- -------
auth required pam_yubico.so authfile=/etc/yubikeyid id=16 debug auth required pam_yubico.so authfile=/etc/yubikeyid id=16 debug
auth include system-auth auth include system-auth
@ -201,7 +201,7 @@ session required pam_loginuid.so
------- -------
===== /etc/yubikeyid ===== ==== /etc/yubikeyid ====
------- -------
root:indvnvlcbdre:ldvglinuddek root:indvnvlcbdre:ldvglinuddek
@ -218,7 +218,7 @@ Please change PAM configuration settings for SSH as shown above and test the
configuration. configuration.
=== Testing the Configuration === == Testing the Configuration ==
We assume that you have 'root' and 'test' user configured to access SSH on your We assume that you have 'root' and 'test' user configured to access SSH on your
test environment with password 'secret' and 'pencil' respectively. test environment with password 'secret' and 'pencil' respectively.