mirror of
https://github.com/Yubico/yubico-pam.git
synced 2024-12-01 15:24:12 +01:00
Yubico Pluggable Authentication Module (PAM)
build-aux | ||
m4 | ||
configure.ac | ||
COPYING | ||
Makefile.am | ||
NEWS | ||
pam_yubico.c | ||
README | ||
test.c |
#summary Installation and configuration of the Yubico PAM module
#labels Featured,Phase-Deploy
= Yubico PAM module =
The Yubico PAM module provides an easy way to integrate the Yubikey
into your existing user authentication infrastructure. PAM is used by
GNU/Linux, Solaris and Mac OS X for user authentication, and by other
specialized applications such as NCSA !MyProxy.
== Status and Roadmap ==
The module is working for multi-user systems. It does not support
disconnected mode, for that there is another Yubico PAM module that
uses the AES key.
The development community is co-ordinated via Google Code:
http://code.google.com/p/yubico-pam/
The license for pam_yubico is the 2-clause BSD license, which is
compatible with the Linux-PAM BSD/GPL license. See the file COPYING
for more information.
== Building from SVN ==
Skip to the next section if you are using an official packaged
version.
You may check out the sources using SVN with the following command:
{{{
svn checkout http://yubico-pam.googlecode.com/svn/trunk/ yubico-pam
}}}
This will create a directory 'yubico-pam'. Enter the directory:
{{{
cd yubico-pam
}}}
Autoconf, automake and libtool must be installed.
Generate the build system using:
{{{
autoreconf --install
}}}
== Building ==
You will need to have libykclient (ykclient.h, libykclient.so) and
libpam-dev (security/pam_appl.h, libpam.so) installed. Get the
ykclient library from:
http://code.google.com/p/yubico-c-client/
It in turn requires Curl, which you need to have installed.
The build system uses Autoconf, to set up the build system run:
{{{
./configure
}}}
Use --without-ldap to disable ldap support.
Then build the code, run the self-test and install the binaries:
{{{
make check install
}}}
== Configuration ==
Install it in your PAM setup by adding a line to an appropriate file
in /etc/pam.d/:
{{{
auth sufficient pam_yubico.so id=16 debug
}}}
and move pam_yubico.so into /lib/security/:
{{{
mv /usr/local/lib/security/pam_yubico.so /lib/security/
}}}
For more information, see the project Wiki page.
Supported PAM module parameters are:
{{{
"id": to indicate your client identity.
"key": to indicate your client key in base64 format.
"debug": to enable debug output to stdout.
"alwaysok": to enable that all authentication attempts should succeed
(aka presentation mode).
"try_first_pass":
Before prompting the user for their password, the module first
tries the previous stacked module´s password in case that satisfies
this module as well.
"use_first_pass":
The argument use_first_pass forces the module to use a previous
stacked modules password and will never prompt the user - if no
password is available or the password is not appropriate, the user
will be denied access.
"url": specify the URL template to use, this is set by calling
yubikey_client_set_url_template, which uses by default:
http://api.yubico.com/wsapi/verify?id=%d&otp=%s
"ldapserver": specifiy the ldap server host (default ldap port is used).
"ldapdn": specify the dn where the users are stored
(eg: ou=users,dc=domain,dc=com).
"user_attr": specify the attribute used to store usernames (eg:cn).
"yubi_attr": specify the attribute used to store the yubikey id.
}}}
If you are using "debug" you may find it useful to create a
world-writable log file:
{{{
touch /var/run/pam-debug.log
chmod go+w /var/run/pam-debug.log
}}}
== Examples ==
If you want to use the Yubikey to authenticate you on linux console
logins, add the following to the top of /etc/pam.d/login:
{{{
auth sufficient pam_yubico.so id=16 debug
}}}
== Feedback ==
If you want to discuss anything related to the Yubico PAM module,
please contact Simon Josefsson <simon@yubico.com>.