updates from yubico-pam README

ReadMe.asciidoc

@@ -177,8 +177,8 @@ Supported PAM module parameters are:
 		respectively.
 
   "verbose_otp":
-                This argument is used to show the OTP when it is entered,
-		i.e. to enable terminal echo of entered characters.
+                This argument is used to show the OTP (One Time Password) when it
+                is entered, i.e. to enable terminal echo of entered characters.
                 You are advised to not use this, if you are using two factor
                 authentication because that will display your password on the
                 screen.
@@ -246,8 +246,8 @@ each user you want to allow onto the system using a Yubikey.
 The mappings should look like this, one per line:
 
 ------
-   <user name>:<Yubikey token ID>:<Yubikey token ID>:….
-   <user name>:<Yubikey token ID>:<Yubikey token ID>:….
+   <first user name>:<Yubikey token ID1>:<Yubikey token ID2>:….
+   <second user name>:<Yubikey token ID3>:<Yubikey token ID4>:….
 ------
 
 Now add authfile=/etc/yubikey_mappings to your PAM configuration line, so it
@@ -265,7 +265,7 @@ directory and places the mapping in that file, the file must have only one
 line:
 
 ------
-   <user name>:<Yubikey token ID>:<Yubikey token ID>
+   <user name>:<Yubikey token ID1>:<Yubikey token ID2>
 ------
 
 This is much the same concept as the SSH authorized_keys file.
@@ -274,7 +274,7 @@ This is much the same concept as the SSH authorized_keys file.
 Obtaining the Yubikey token ID (a.k.a. public ID)
 -------------------------------------------------
 You can obtain the Yubikey token ID in two places. One is by removing the
-last 32 characters of any OTP generated with your Yubikey, the other
+last 32 characters of any OTP (One Time Password) generated with your Yubikey, the other
 is by using the modhex calculator located here :
 
 http://radius.yubico.com/demo/Modhex_Calculator.php
@@ -283,6 +283,54 @@ Enter your Yubikey OTP and convert it, your Yubikey token ID is 12 digits and li
 
    Modhex encoded: XXXXXXX
 
+
+Not sure what that last bit meant? Here is how to get a copy of your OTP.
+
+Fast way
+========
+* Open a terminal
+* Press yubikey button
+
+It will output an OTP into the shell:
+
+------
+    $ cccccccgklgcvnkcvnnegrnhgrjkhlkfhdkclfncvlgj
+   bash: cccccccgklgcvnkcvnnegrnhgrjkhlkfhdkclfncvlgj: command not found
+------
+
+This can be pasted into the Modhex_Calculator page.
+
+Harder way
+==========
+This requires you to have the pam module enabled with 'debug' turned on. When
+prompted for the yubikey press the button. The pam module will print out debug
+information including the OTP and ID of your token to the shell - copy the ID
+into your config file and you should be up and going.
+
+------
+   Yubikey for `youruser': 
+   [pam_yubico.c:pam_sm_authenticate(867)] conv returned 44 bytes
+   [pam_yubico.c:pam_sm_authenticate(885)] Skipping first 0 bytes. Length is 44, token_id set to 12 and token OTP always 32.
+   [pam_yubico.c:pam_sm_authenticate(892)] OTP: ccccccclabcabkhbdncicglfltnukadfoifadfhhhhfe ID: cccccclabcab 
+------
+
+
+Yubico PAM module and SELinux.
+------------------------------
+Users with SELinux in enforcing mode (the default on Fedora 17+) may experience
+login problems with services including those validated via
+polkit-agent-helper-1, sshd and login.
+
+This is documented in the PAM Yubico issue tracker [1] and Red Hat bugzilla
+including a work around [2] for ssh (Equivalent files could be created for
+other services). Systems in 'permissive' mode will generate AVC warnings but
+authentication will succeed.
+
+[1] http://code.google.com/p/yubico-pam/issues/detail?id=43
+[2] https://bugzilla.redhat.com/show_bug.cgi?id=841693#c3
+
+To determine if you have SELinux enforcing or not run the 'sestatus' command.
+
 Examples
 --------