1
0
mirror of https://github.com/Yubico/yubico-pam.git synced 2024-12-01 15:24:12 +01:00
Yubico Pluggable Authentication Module (PAM)
Go to file
zubrick433 15cae15f1c Corrections in ldap part:Â
Removed deprecated ldap functions. New functions need a ldap uri instead of a hostname. changed configuration parameter ldapserver to ldap_uri to reflect change and avoid errors in configuration.

Search string are now of variable size depending on configuration parameters length, instead of an arbitrary fixed length.

Modified README for the new ldap_uri configuration parameter
2009-08-11 09:29:44 +00:00
build-aux Update gnulib files. 2009-03-24 18:31:26 +00:00
m4 Update gnulib files. 2009-03-24 18:31:26 +00:00
configure.ac Bump versions. 2009-05-11 10:10:16 +00:00
COPYING Change license to 2-clause BSD. 2009-01-13 14:08:21 +00:00
Makefile.am Fix release target. 2009-06-22 09:02:21 +00:00
NEWS Bump versions. 2009-05-11 10:10:16 +00:00
pam_yubico.c Corrections in ldap part:Â 2009-08-11 09:29:44 +00:00
README Corrections in ldap part:Â 2009-08-11 09:29:44 +00:00
test.c Indent. 2009-01-13 14:08:39 +00:00

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

#summary Installation and configuration of the Yubico PAM module
#labels Featured,Phase-Deploy

= Yubico PAM module =

The Yubico PAM module provides an easy way to integrate the Yubikey
into your existing user authentication infrastructure.  PAM is used by
GNU/Linux, Solaris and Mac OS X for user authentication, and by other
specialized applications such as NCSA !MyProxy.

== Status and Roadmap ==

The module is working for multi-user systems.  It does not support
disconnected mode, for that there is another Yubico PAM module that
uses the AES key.

The development community is co-ordinated via Google Code:

  http://code.google.com/p/yubico-pam/

The license for pam_yubico is the 2-clause BSD license, which is
compatible with the Linux-PAM BSD/GPL license.  See the file COPYING
for more information.

== Building from SVN ==

Skip to the next section if you are using an official packaged
version.

You may check out the sources using SVN with the following command:

{{{
  svn checkout http://yubico-pam.googlecode.com/svn/trunk/ yubico-pam
}}}

This will create a directory 'yubico-pam'.  Enter the directory:

{{{
  cd yubico-pam
}}}

Autoconf, automake and libtool must be installed.

Generate the build system using:

{{{
  autoreconf --install
}}}

== Building ==

You will need to have libykclient (ykclient.h, libykclient.so) and
libpam-dev (security/pam_appl.h, libpam.so) installed.  Get the
ykclient library from:

http://code.google.com/p/yubico-c-client/

It in turn requires Curl, which you need to have installed.

The build system uses Autoconf, to set up the build system run:

{{{
  ./configure
}}}

Use --without-ldap to disable ldap support.

Then build the code, run the self-test and install the binaries:

{{{
  make check install
}}}

== Configuration ==

Install it in your PAM setup by adding a line to an appropriate file
in /etc/pam.d/:

{{{
  auth sufficient pam_yubico.so id=16 debug
}}}

and move pam_yubico.so into /lib/security/:

{{{
  mv /usr/local/lib/security/pam_yubico.so /lib/security/
}}}

For more information, see the project Wiki page.

Supported PAM module parameters are:

{{{
  "id":         to indicate your client identity.

  "key":        to indicate your client key in base64 format.

  "debug":      to enable debug output to stdout.

  "alwaysok":   to enable that all authentication attempts should succeed
                (aka presentation mode).

  "try_first_pass":
           Before prompting the user for their password, the module first
           tries the previous stacked module´s password in case that satisfies
           this module as well.

  "use_first_pass":
           The argument use_first_pass forces the module to use a previous
           stacked modules password and will never prompt the user - if no
           password is available or the password is not appropriate, the user
           will be denied access.

  "url":        specify the URL template to use, this is set by calling
                yubikey_client_set_url_template, which uses by default:
	        http://api.yubico.com/wsapi/verify?id=%d&otp=%s

  "ldap_uri": specifiy the ldap server uri (e.g. ldap://localhost).

  "ldapdn":     specify the dn where the users are stored
                (eg: ou=users,dc=domain,dc=com).

  "user_attr":  specify the attribute used to store usernames (eg:cn).

  "yubi_attr":  specify the attribute used to store the yubikey id.
}}}

If you are using "debug" you may find it useful to create a
world-writable log file:

{{{
  touch /var/run/pam-debug.log 
  chmod go+w /var/run/pam-debug.log 
}}}

== Examples ==

If you want to use the Yubikey to authenticate you on linux console
logins, add the following to the top of /etc/pam.d/login:

{{{
auth sufficient pam_yubico.so id=16 debug
}}}

== Feedback ==

If you want to discuss anything related to the Yubico PAM module,
please contact Simon Josefsson <simon@yubico.com>.