mirror of
https://github.com/Yubico/yubico-pam.git
synced 2024-11-29 09:24:22 +01:00
122 lines
5.3 KiB
Groff
122 lines
5.3 KiB
Groff
.\" Copyright (c) 2013 Yubico AB
|
||
.\" All rights reserved.
|
||
.\"
|
||
.\" Redistribution and use in source and binary forms, with or without
|
||
.\" modification, are permitted provided that the following conditions are
|
||
.\" met:
|
||
.\"
|
||
.\" * Redistributions of source code must retain the above copyright
|
||
.\" notice, this list of conditions and the following disclaimer.
|
||
.\"
|
||
.\" * Redistributions in binary form must reproduce the above
|
||
.\" copyright notice, this list of conditions and the following
|
||
.\" disclaimer in the documentation and/or other materials provided
|
||
.\" with the distribution.
|
||
.\"
|
||
.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||
.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||
.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||
.\" A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||
.\" OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||
.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
||
.\" LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||
.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||
.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||
.\" OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||
.\"
|
||
.\" The following commands are required for all man pages.
|
||
.de URL
|
||
\\$2 \(laURL: \\$1 \(ra\\$3
|
||
..
|
||
.if \n[.g] .mso www.tmac
|
||
.TH pam_yubico "8" "October 2013" "yubico-pam"
|
||
.SH NAME
|
||
pam_yubico - Module for YubiKey authentication
|
||
.SH SYNOPSIS
|
||
.B pam_yubico
|
||
[...]
|
||
.SH DESCRIPTION
|
||
The module is for authentication of YubiKeys, either with online validation of OTP, or offline validation with HMAC-SHA1 challenge-response.
|
||
.SH OPTIONS
|
||
.B debug
|
||
Turns on debugging to STDOUT
|
||
.TP
|
||
.B mode=\fR[\fIclient\fR|\fIchallenge-response\fR]
|
||
Set the mode of operation, client for OTP validation and challenge-response for challenge-response validation, client is the default.
|
||
.TP
|
||
.B authfile=\fIfile\fR
|
||
Set the location of the file that holds the mappings of Yubikey token IDs to user names. The format is username:first_public_id:second_public_id:... default location of the file is $HOME/.yubico/authorized_yubikeys.
|
||
.TP
|
||
.B id=\fIid\fR
|
||
Set to your client identity.
|
||
.TP
|
||
.B key=\fIkey\fR
|
||
Set to your client key in base64 format. The client key is also known as API key, and provides integrity in the communication between the client (you) and the validation server. If you want to get one for use with the default YubiCloud service, visit this URL:
|
||
.URL https://upgrade.yubico.com/getapikey/
|
||
.TP
|
||
.B alwaysok
|
||
Set to enable all authentication attempts to succeed (aka presentation mode).
|
||
.TP
|
||
.B try_first_pass
|
||
Before prompting the user for their password, the module first tries the previous stacked module´s password in case that satisfies this module as well.
|
||
.TP
|
||
.B use_first_pass
|
||
The argument use_first_pass forces the module to use a previous stacked modules password and will never prompt the user - if no password is available or the password is not appropriate, the user will be denied access.
|
||
.TP
|
||
.B urllist=\fIlist\fR
|
||
List of URL templates to be used. This is set by calling ykclient_set_url_bases.
|
||
The list should be in the format
|
||
.URL https://api1.example.com/wsapi/2.0/verify;https://api2.example.com/wsapi/2.0/verify
|
||
.TP
|
||
.B url=\fIurl\fR
|
||
This option should not be used, please use the urllist option instead.
|
||
Set the URL template to use, this is set by calling ykclient_set_url_template.
|
||
The URL should be set in the format
|
||
.URL https://api.example.com/wsapi/2.0/verify?id=%d&otp=%s
|
||
.TP
|
||
.B capath=\fIpath\fR
|
||
Specify the path where X509 certificates are stored. This is required if 'https' or 'ldaps' are used in 'url' and 'ldap_uri' respectively.
|
||
.TP
|
||
.B verbose_otp
|
||
This argument is used to show the OTP (One Time Password) when it is entered, i.e. to enable terminal echo of entered characters. You are advised to not use this, if you are using two factor authentication because that will display your password on the screen. This requires the service using the PAM module to display custom fields. For example, OpenSSH requires you to configure "ChallengeResponseAuthentication no".
|
||
.TP
|
||
.B ldap_uri=\fIuri\fR
|
||
Specify the LDAP server URI (e.g. ldap://localhost).
|
||
.TP
|
||
.B ldap_server=\fIserver\fR
|
||
Specify the LDAP server host (default LDAP port is used).
|
||
.B Deprecated. Use "ldap_uri" instead.
|
||
.TP
|
||
.B ldapdn=\fIdn\fR
|
||
The dn where the users are stored (eg: ou=users,dc=domain,dc=com).
|
||
.TP
|
||
.B user_attr=\fIattr\fR
|
||
The LDAP attribute used to store user names (eg:cn).
|
||
.TP
|
||
.B yubi_attr=\fIattr\fR
|
||
The LDAP attribute used to store the Yubikey id.
|
||
.TP
|
||
.B yubi_attr_prefix=\fIprefix\fR
|
||
The prefix of the LDAP attribute's value, in case of a generic attribute, used to store several types of ids.
|
||
.TP
|
||
.B token_id_length=\fIlength\fR
|
||
Length of ID prefixing the OTP (this is 12 if using the YubiCloud).
|
||
.SH EXAMPLES
|
||
.RS
|
||
auth sufficient pam_yubico.so id=16 debug
|
||
.TP
|
||
auth required pam_yubico.so mode=challenge-response
|
||
.SH BUGS
|
||
Report yubico-pam bugs in
|
||
.URL "https://github.com/Yubico/yubico-pam/issues/" "the issue tracker"
|
||
.SH "SEE ALSO"
|
||
The
|
||
.URL "http://opensource.yubico.com/yubico-pam/" "yubico-pam home page"
|
||
.PP
|
||
\fBykpamcfg\fR(1),
|
||
\fBpam\fR(7)
|
||
.PP
|
||
YubiKeys can be obtained from
|
||
.URL "https://www.yubico.com/" "Yubico" "."
|