From 5ad472914b721712a0bb34b93a2e48982e2359d8 Mon Sep 17 00:00:00 2001 From: Klas Lindfors Date: Wed, 3 Oct 2012 07:51:58 +0200 Subject: [PATCH] updates from yubico-pam README --- ReadMe.asciidoc | 60 ++++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 54 insertions(+), 6 deletions(-) diff --git a/ReadMe.asciidoc b/ReadMe.asciidoc index 7880533..28a8f40 100644 --- a/ReadMe.asciidoc +++ b/ReadMe.asciidoc @@ -177,8 +177,8 @@ Supported PAM module parameters are: respectively. "verbose_otp": - This argument is used to show the OTP when it is entered, - i.e. to enable terminal echo of entered characters. + This argument is used to show the OTP (One Time Password) when it + is entered, i.e. to enable terminal echo of entered characters. You are advised to not use this, if you are using two factor authentication because that will display your password on the screen. @@ -246,8 +246,8 @@ each user you want to allow onto the system using a Yubikey. The mappings should look like this, one per line: ------ - :::…. - :::…. + :::…. + :::…. ------ Now add authfile=/etc/yubikey_mappings to your PAM configuration line, so it @@ -265,7 +265,7 @@ directory and places the mapping in that file, the file must have only one line: ------ - :: + :: ------ This is much the same concept as the SSH authorized_keys file. @@ -274,7 +274,7 @@ This is much the same concept as the SSH authorized_keys file. Obtaining the Yubikey token ID (a.k.a. public ID) ------------------------------------------------- You can obtain the Yubikey token ID in two places. One is by removing the -last 32 characters of any OTP generated with your Yubikey, the other +last 32 characters of any OTP (One Time Password) generated with your Yubikey, the other is by using the modhex calculator located here : http://radius.yubico.com/demo/Modhex_Calculator.php @@ -283,6 +283,54 @@ Enter your Yubikey OTP and convert it, your Yubikey token ID is 12 digits and li Modhex encoded: XXXXXXX + +Not sure what that last bit meant? Here is how to get a copy of your OTP. + +Fast way +======== +* Open a terminal +* Press yubikey button + +It will output an OTP into the shell: + +------ + $ cccccccgklgcvnkcvnnegrnhgrjkhlkfhdkclfncvlgj + bash: cccccccgklgcvnkcvnnegrnhgrjkhlkfhdkclfncvlgj: command not found +------ + +This can be pasted into the Modhex_Calculator page. + +Harder way +========== +This requires you to have the pam module enabled with 'debug' turned on. When +prompted for the yubikey press the button. The pam module will print out debug +information including the OTP and ID of your token to the shell - copy the ID +into your config file and you should be up and going. + +------ + Yubikey for `youruser': + [pam_yubico.c:pam_sm_authenticate(867)] conv returned 44 bytes + [pam_yubico.c:pam_sm_authenticate(885)] Skipping first 0 bytes. Length is 44, token_id set to 12 and token OTP always 32. + [pam_yubico.c:pam_sm_authenticate(892)] OTP: ccccccclabcabkhbdncicglfltnukadfoifadfhhhhfe ID: cccccclabcab +------ + + +Yubico PAM module and SELinux. +------------------------------ +Users with SELinux in enforcing mode (the default on Fedora 17+) may experience +login problems with services including those validated via +polkit-agent-helper-1, sshd and login. + +This is documented in the PAM Yubico issue tracker [1] and Red Hat bugzilla +including a work around [2] for ssh (Equivalent files could be created for +other services). Systems in 'permissive' mode will generate AVC warnings but +authentication will succeed. + +[1] http://code.google.com/p/yubico-pam/issues/detail?id=43 +[2] https://bugzilla.redhat.com/show_bug.cgi?id=841693#c3 + +To determine if you have SELinux enforcing or not run the 'sestatus' command. + Examples --------