Merge branch 'pr-154'

Makefile.am

@@ -66,7 +66,7 @@ dist_man8_MANS = pam_yubico.8
 DISTCLEANFILES = $(dist_man1_MANS) $(dist_man8_MANS)
 
 MANSOURCES = pam_yubico.8.txt ykpamcfg.1.txt
-EXTRA_DIST = doc/Authentication_Using_Challenge-Response.adoc doc/MacOS_X_Challenge-Response.adoc doc/Two_Factor_PAM_Configuration.adoc doc/Ubuntu_FreeRadius_YubiKey.adoc doc/YubiKey_and_FreeRADIUS_1FA_via_PAM.adoc doc/YubiKey_and_FreeRADIUS_via_PAM.adoc doc/YubiKey_and_OpenVPN_via_PAM.adoc doc/Yubikey_and_Radius_via_PAM.adoc doc/Yubikey_and_SELinux_on_Fedora_18_and_up.adoc doc/Yubikey_and_SSH_via_PAM.adoc
+EXTRA_DIST = doc/Authentication_Using_Challenge-Response.adoc doc/MacOS_X_Challenge-Response.adoc doc/Two_Factor_PAM_Configuration.adoc doc/Ubuntu_FreeRadius_YubiKey.adoc doc/YubiKey_and_FreeRADIUS_1FA_via_PAM.adoc doc/YubiKey_and_FreeRADIUS_via_PAM.adoc doc/YubiKey_and_OpenVPN_via_PAM.adoc doc/YubiKey_and_Radius_via_PAM.adoc doc/YubiKey_and_SELinux_on_Fedora_18_and_up.adoc doc/YubiKey_and_SSH_via_PAM.adoc
 EXTRA_DIST += $(MANSOURCES)
 EXTRA_DIST += tests/aux/ykval.pl tests/aux/ldap.pl tests/aux/authfile
 

NEWS

@@ -268,7 +268,7 @@ forum.yubico.com.
 They work similar to other PAM modules, see README for more
 documentation.
 
-Upgrade notice: If you are relying on getting the Yubikey OTP from an
+Upgrade notice: If you are relying on getting the YubiKey OTP from an
 earlier PAM module, and no prompting by the pam_yubico module, you
 need to add "try_first_pass" to preserve the same behaviour.
 

README

@@ -1,7 +1,7 @@
 == Yubico PAM module
 image:https://travis-ci.org/Yubico/yubico-pam.svg?branch=master["Build Status", link="https://travis-ci.org/Yubico/yubico-pam"]
 
-The Yubico PAM module provides an easy way to integrate the Yubikey
+The Yubico PAM module provides an easy way to integrate the YubiKey
 into your existing user authentication infrastructure.  PAM is used by
 GNU/Linux, Solaris and Mac OS X for user authentication, and by other
 specialized applications such as NCSA MyProxy.
@@ -136,7 +136,7 @@ Supported PAM module parameters are:
 [horizontal]
 authfile::
 To indicate the location of the file that holds the
-mappings of Yubikey token IDs to user names.
+mappings of YubiKey token IDs to user names.
 
 id:: 
 Your API Client ID in the Yubico validation server.
@@ -239,7 +239,7 @@ CA certifcate file for the LDAP connection.
 
 user_attr:: specify the LDAP attribute used to store user names (eg:cn).
 
-yubi_attr::  specify the LDAP attribute used to store the Yubikey ID.
+yubi_attr::  specify the LDAP attribute used to store the YubiKey ID.
 
 yubi_attr_prefix::
 specify the prefix of the LDAP attribute's value, in case
@@ -287,13 +287,13 @@ be used.
 
 === Central authorization mapping
 Create a `/etc/yubikey_mappings`, the file must contain a user name and the
-Yubikey token ID separated by colons (same format as the passwd file) for
-each user you want to allow onto the system using a Yubikey.
+YubiKey token ID separated by colons (same format as the passwd file) for
+each user you want to allow onto the system using a YubiKey.
 
 The mappings should look like this, one per line:
 
- <first user name>:<Yubikey token ID1>:<Yubikey token ID2>:….
- <second user name>:<Yubikey token ID3>:<Yubikey token ID4>:….
+ <first user name>:<YubiKey token ID1>:<YubiKey token ID2>:….
+ <second user name>:<YubiKey token ID3>:<YubiKey token ID4>:….
 
 Now add `authfile=/etc/yubikey_mappings` to your PAM configuration line, so it
 looks like:
@@ -307,21 +307,21 @@ directory and places the mapping in that file, the file must have only one
 line:
 
 
- <user name>:<Yubikey token ID1>:<Yubikey token ID2>
+ <user name>:<YubiKey token ID1>:<YubiKey token ID2>
 
 
 This is much the same concept as the SSH authorized_keys file.
 
 
-Obtaining the Yubikey token ID (a.k.a. public ID)
+Obtaining the YubiKey token ID (a.k.a. public ID)
 -------------------------------------------------
 
-You can obtain the Yubikey token ID in several ways.  One is by
+You can obtain the YubiKey token ID in several ways.  One is by
 removing the last 32 characters of any OTP (One Time Password)
-generated with your Yubikey.  Another is by using the
+generated with your YubiKey.  Another is by using the
 http://demo.yubico.com/php-yubico/Modhex_Calculator.php[modhex calculator].
 
-Enter your Yubikey OTP and convert it, your Yubikey token ID is 12
+Enter your YubiKey OTP and convert it, your YubiKey token ID is 12
 characters and listed as:
 
    Modhex encoded: XXXXXXX
@@ -348,7 +348,7 @@ information including the OTP and ID of your token to the shell -- copy the ID
 into your config file and you should be up and going.
 
 ------
-Yubikey for `youruser':
+YubiKey for `youruser':
 [pam_yubico.c:pam_sm_authenticate(867)] conv returned 44 bytes
 [pam_yubico.c:pam_sm_authenticate(885)] Skipping first 0 bytes. Length is 44, token_id set to 12 and token OTP always 32.
 [pam_yubico.c:pam_sm_authenticate(892)] OTP: ccccccclabcabkhbdncicglfltnukadfoifadfhhhhfe ID: cccccclabcab
@@ -382,7 +382,7 @@ See Michael Ludvig's sample Active Directory schema extensions for YubiKey publi
 
 create file '/etc/pam.d/openvpn':
 
-   auth  required  pam_yubico.so ldap_uri=ldap://contoso.com debug id=[Your API ID] yubi_attr=yubiKeyId
+   auth  required  pam_yubico.so ldap_uri=ldap://contoso.com debug id=[Your API ID] yubi_attr=YubiKeyID
       ldapdn=DC=contoso,DC=com
       ldap_filter=(&(sAMAccountName=%u)(objectClass=user)(memberOf=CN=somegroup,DC=contoso,DC=com))
       [ldap_bind_user=CN=binduser,OU=Service Accounts,DC=contoso,DC=com] ldap_bind_password=bind_password try_first_pass

doc/Authentication_Using_Challenge-Response.adoc

@@ -188,5 +188,5 @@ and if there is no YubiKey in the machine it will look like this:
 [pam_yubico.c:parse_cfg(743)] chalresp_path=(null)
 [pam_yubico.c:pam_sm_authenticate(775)] get user returned: jas
 [pam_yubico.c:do_challenge_response(478)] Failed initializing YubiKey
-[pam_yubico.c:do_challenge_response(640)] Yubikey core error: no yubikey present
+[pam_yubico.c:do_challenge_response(640)] YubiKey core error: no YubiKey present
 ----

doc/Two_Factor_PAM_Configuration.adoc

@@ -1,5 +1,5 @@
 PAM configuration is somewhat complex, but a typical use-case is to
-require both a password and Yubikey to allow access.  This can be
+require both a password and YubiKey to allow access.  This can be
 achieved by a PAM configuration like this:
 
 ----
@@ -9,7 +9,7 @@ auth required pam_unix.so use_first_pass
 
 The first line makes pam_yubico check the OTP.  Use either a per-user
 file called `~/.yubico/authorized_yubikeys`, or a system-wide file called
-`/etc/yubikey_mappings` to specify which Yubikeys that can be used to log
+`/etc/yubikey_mappings` to specify which YubiKeys that can be used to log
 in as specific users. See https://developers.yubico.com/yubico-pam[the README]
 for more information.
 
@@ -27,8 +27,8 @@ unless you want those.  For example, Debian contains a
 '@include common-auth' which would confuse the configuration.
 
 To log in, you now need to enter both your Unix password and enter an
-OTP using your Yubikey. When prompted for the password, enter the Unix
+OTP using your YubiKey. When prompted for the password, enter the Unix
 password first and then (without pressing enter) push the button on your
-Yubikey.
+YubiKey.
 
 If it doesn't work, enable debugging (see https://developers.yubico.com/yubico-pam[the README]) and try again.

doc/Ubuntu_FreeRadius_YubiKey.adoc

@@ -231,7 +231,7 @@ PAM debug log:
 [pam_yubico.c:pam_sm_authenticate(452)] get user returned: alice
 [pam_yubico.c:pam_sm_authenticate(542)] conv returned: ccccccccltncdjjifceergtnukivgiujhgehgnkrfcef
 [pam_yubico.c:pam_sm_authenticate(558)] OTP: ccccccccltncdjjifceergtnukivgiujhgehgnkrfcef ID: ccccccccltnc 
-[pam_yubico.c:pam_sm_authenticate(583)] ykclient return value (2): Yubikey OTP was replayed (REPLAYED_OTP)
+[pam_yubico.c:pam_sm_authenticate(583)] ykclient return value (2): YubiKey OTP was replayed (REPLAYED_OTP)
 [pam_yubico.c:pam_sm_authenticate(625)] done. [Authentication failure]
 ------
 

doc/YubiKey_and_SELinux_on_Fedora_18_and_up.adoc

@@ -1,8 +1,8 @@
-Starting with Fedora 17, SELinux prevents sshd to initiate connections to remote HTTP ports (80 and 443). In SELinux terms: sshd_t is not allowed to name_connect to http_port_t. This broke Yubikey authentication on a system with SELinux in enforcing mode, unless a custom SELinux policy was written and enabled.
+Starting with Fedora 17, SELinux prevents sshd to initiate connections to remote HTTP ports (80 and 443). In SELinux terms: sshd_t is not allowed to name_connect to http_port_t. This broke YubiKey authentication on a system with SELinux in enforcing mode, unless a custom SELinux policy was written and enabled.
 
 Based on a https://bugzilla.redhat.com/show_bug.cgi?id=841693[bugreport] in Red Hat Bugzilla, a boolean was added to the SELinux policy for Fedora 18 and up, that can be toggled to allow sshd (and some other SELinux types) to connect to remote HTTP ports.
 
-To make a long story short, if you want to use a Yubikey on a system running Fedora 18 or higher (and probably RHEL7, eventually), you'll need to toggle the 'authlogin_yubikey' SELinux boolean, like so:
+To make a long story short, if you want to use a YubiKey on a system running Fedora 18 or higher (and probably RHEL7, eventually), you'll need to toggle the 'authlogin_yubikey' SELinux boolean, like so:
 
     setsebool -P authlogin_yubikey 1
 

doc/YubiKey_and_SSH_via_PAM.adoc

@@ -1,7 +1,7 @@
 == Introduction ==
 
 The purpose of this document is to guide readers through the configuration
-steps to use two factor authentication for SSH using Yubikey. This document
+steps to use two factor authentication for SSH using YubiKey. This document
 assumes that the reader has advanced knowledge and experience in Linux
 system administration, particularly for how PAM authentication mechanism is
 configured on a Linux platform.
@@ -33,7 +33,7 @@ https://developers.yubico.com/yubico-pam/releases.html[here].
 
 The Yubico PAM module support two factor authentication for SSH.
 The two factor authentication module verifies the user name and password
-for the user and the One-Time Password (OTP) generated by Yubikey assigned
+for the user and the One-Time Password (OTP) generated by YubiKey assigned
 to the user.
 
 
@@ -53,24 +53,24 @@ done at administrative level or at individual user level.
 ==== Administrative Level ====
 
 In Administrative level, system administrators hold right to configure the
-user and yubikey token ID mapping. Administrators can achieve this by creating
+user and YubiKey token ID mapping. Administrators can achieve this by creating
 a new file that contains information about the username and the corresponding
-IDs of Yubikey(s) assigned.
+IDs of YubiKey(s) assigned.
 
 This file contains user name that is allowed to connect to the system over SSH
-and the token id of the Yubikey(s) assigned to that particular user. A user
-can be assigned multiple Yubikeys and this multi key mapping is supported by
+and the token id of the YubiKey(s) assigned to that particular user. A user
+can be assigned multiple YubiKeys and this multi key mapping is supported by
 this file. However, presently there is no logic coded to detect or prevent use
-of same Yubikey ID for multiple users.
+of same YubiKey ID for multiple users.
 
 Each record in the file should begin on a new line. The parameters in each
 record are separated by `:` character similar to `/etc/passwd`. 
 
 The contents of this file are as follows:
 
- <user name>:<yubikey token ID>:<yubikey token ID>: ….
+ <user name>:<YubiKey token ID>:<YubiKey token ID>: ….
 
- <user name>:<yubikey token ID>:<yubikey token ID>:…..
+ <user name>:<YubiKey token ID>:<YubiKey token ID>:…..
 
 e.g.
 
@@ -96,7 +96,7 @@ using any ssh client, the PAM authentication interface will pass the control to
 Yubico PAM module. The Yubico PAM module first checks the presence of authfile
 argument in PAM configuration.  If authfile argument is present, it parses the
 corresponding mapping file and  verifies the username with corresponding
-Yubikey token id as configured in the mapping file. If valid, the Yubico PAM
+YubiKey token id as configured in the mapping file. If valid, the Yubico PAM
 module extracts the OTP string and sends it to the Yubico authentication server
 or else it reports failure.  If authfile argument is present but the mapping
 file is not present at the provided path PAM module reports failure. After
@@ -106,18 +106,18 @@ authentication server, a success code is returned.
 
 ==== User Level ====
 
-In User level, individual users have the ability to configure yubikey token
+In User level, individual users have the ability to configure YubiKey token
 ID assigned to them. Users can achieve this by creating a new file
 `.yubico/authorized_yubikeys` inside their home directories that contains
-information about the username and the corresponding IDs of Yubikey(s) assigned
-to them. A user can be assigned multiple Yubikeys and the multi key mapping is
+information about the username and the corresponding IDs of YubiKey(s) assigned
+to them. A user can be assigned multiple YubiKeys and the multi key mapping is
 supported by this file.
 
 This file must contain only one record. The parameters in the record are
 separated by `:` character similar to `/etc/passwd`. The contents of this file
 are as shown below:
  
- <user name>:<yubikey token ID>:<yubikey token ID>: ….
+ <user name>:<YubiKey token ID>:<YubiKey token ID>: ….
 
 e.g.
 
@@ -138,7 +138,7 @@ Append the following line to the beginning of the `/etc/pam.d/sshd` file:
 After the above configuration changes, whenever a user connects to the server
 using any SSH client, the PAM authentication interface will pass the control
 to Yubico PAM module. The Yubico PAM module first verifies the username with
-corresponding Yubikey token id as configured in the `.yubico/authorized_yubikeys`
+corresponding YubiKey token id as configured in the `.yubico/authorized_yubikeys`
 file that present in the user's home directory who is trying to assess server
 through SSH. If valid, the Yubico PAM module extracts the OTP string and sends
 it to the Yubico authentication server or else it reports failure. After
@@ -229,15 +229,15 @@ Try to login to server with SSH client as configured user:
 
 ------
 $ ssh -l test localhost 
-Password: (enter 'pencil' and touch the ldvglinuddek yubikey)
+Password: (enter 'pencil' and touch the ldvglinuddek YubiKey)
 ------
 
 ------
 $ ssh -l root localhost
-Password: (enter 'secret' and touch the ldvglinuddek yubikey)
+Password: (enter 'secret' and touch the ldvglinuddek YubiKey)
 ------
 
 ------
 $ ssh -l root localhost
-Password: (enter 'secret' and touch the indvnvlcbdre yubikey)
+Password: (enter 'secret' and touch the indvnvlcbdre YubiKey)
 ------

pam_yubico.8.txt

@@ -24,7 +24,7 @@ File name to write debug to, the file must exist and be a regular file. Defaults
 Mode of operation, client for OTP validation and challenge-response for challenge-response validation. Defaults to client.
 
 *authfile*=_file_::
-Location of the file that holds the mappings of Yubikey token IDs to user names. The format is username:first_public_id:second_public_id:... Default location of the file is $HOME/.yubico/authorized_yubikeys.
+Location of the file that holds the mappings of YubiKey token IDs to user names. The format is username:first_public_id:second_public_id:... Default location of the file is $HOME/.yubico/authorized_yubikeys.
 
 *id*=_id_::
 Your API client identity for the validation server.
@@ -78,7 +78,7 @@ The distinguished name (DN) where the users are stored (eg: ou=users,dc=domain,d
 The LDAP attribute used to store user names (eg:cn).
 
 *yubi_attr*=_attr_::
-The LDAP attribute used to store the Yubikey ID.
+The LDAP attribute used to store the YubiKey ID.
 
 *yubi_attr_prefix*=_prefix_::
 The prefix of the LDAP attribute's value, in case of a generic attribute, used to store several types of IDs.

pam_yubico.c

@@ -610,7 +610,7 @@ do_challenge_response(pam_handle_t *pamh, struct cfg *cfg, const char *username)
     goto out;
   }
 
-  errstr = "Error communicating with Yubikey, please check syslog or contact your system administrator";
+  errstr = "Error communicating with YubiKey, please check syslog or contact your system administrator";
   if (! challenge_response(yk, state.slot, state.challenge, CR_CHALLENGE_SIZE,
 			   true, true, false,
 			   buf, sizeof(buf), &response_len)) {
@@ -676,7 +676,7 @@ do_challenge_response(pam_handle_t *pamh, struct cfg *cfg, const char *username)
     goto restpriv_out;
   }
 
-  errstr = "Error updating Yubikey challenge, please check syslog or contact your system administrator";
+  errstr = "Error updating YubiKey challenge, please check syslog or contact your system administrator";
   if (! write_chalresp_state (f, &state))
     goto out;
   if (fclose(f) < 0) {
@@ -706,8 +706,8 @@ restpriv_out:
       syslog(LOG_ERR, "USB error: %s", yk_usb_strerror());
       DBG("USB error: %s", yk_usb_strerror());
     } else {
-      syslog(LOG_ERR, "Yubikey core error: %s", yk_strerror(yk_errno));
-      DBG("Yubikey core error: %s", yk_strerror(yk_errno));
+      syslog(LOG_ERR, "YubiKey core error: %s", yk_strerror(yk_errno));
+      DBG("YubiKey core error: %s", yk_strerror(yk_errno));
     }
   }
 
@@ -1102,7 +1102,7 @@ pam_sm_authenticate (pam_handle_t * pamh,
 
   password_len = strlen (password);
 
-  /* In case the input was systempassword+YubiKeyOTP, we want to skip over
+  /* In case the input was systempassword+OTP, we want to skip over
      "systempassword" when copying the token_id and OTP to separate buffers */
   if(password_len > cfg->token_id_length + TOKEN_OTP_LEN)
     {

ykpamcfg.c

@@ -74,14 +74,14 @@ static void
 report_yk_error(void)
 {
   if (ykp_errno)
-    fprintf(stderr, "Yubikey personalization error: %s\n",
+    fprintf(stderr, "YubiKey personalization error: %s\n",
 	    ykp_strerror(ykp_errno));
   if (yk_errno) {
     if (yk_errno == YK_EUSBERR) {
       fprintf(stderr, "USB error: %s\n",
 	      yk_usb_strerror());
     } else {
-      fprintf(stderr, "Yubikey core error: %s\n",
+      fprintf(stderr, "YubiKey core error: %s\n",
 	      yk_strerror(yk_errno));
     }
   }