|
ReadMe
Installation and configuration of the Yubico PAM module
Yubico PAM moduleThe Yubico PAM module provides an easy way to integrate the Yubikey into your existing user authentication infrastructure. PAM is used by GNU/Linux, Solaris and Mac OS X for user authentication, and by other specialized applications such as NCSA MyProxy. Status and RoadmapThe module is working for multi-user systems. It does not support disconnected mode, for that there is another Yubico PAM module that uses the AES key. The development community is co-ordinated via Google Code: http://code.google.com/p/yubico-pam/ The license for pam_yubico is the 2-clause BSD license, which is compatible with the Linux-PAM BSD/GPL license. See the file COPYING for more information. Building from SVNSkip to the next section if you are using an official packaged version. You may check out the sources using SVN with the following command: svn checkout http://yubico-pam.googlecode.com/svn/trunk/ yubico-pam This will create a directory 'yubico-pam'. Enter the directory: cd yubico-pam Autoconf, automake and libtool must be installed. Generate the build system using: autoreconf --install BuildingYou will need to have libykclient (ykclient.h, libykclient.so) and libpam-dev (security/pam_appl.h, libpam.so) installed. Get the ykclient library from: http://code.google.com/p/yubico-c-client/ It in turn requires Curl, which you need to have installed. The build system uses Autoconf, to set up the build system run: ./configure Use --without-ldap to disable ldap support. Then build the code, run the self-test and install the binaries: make check install ConfigurationInstall it in your PAM setup by adding a line to an appropriate file in /etc/pam.d/: auth sufficient pam_yubico.so id=16 debug and move pam_yubico.so into /lib/security/: mv /usr/local/lib/security/pam_yubico.so /lib/security/ For more information, see the project Wiki page. Supported PAM module parameters are: "id": to indicate your client identity.
"key": to indicate your client key in base64 format.
"debug": to enable debug output to stdout.
"alwaysok": to enable that all authentication attempts should succeed
(aka presentation mode).
"try_first_pass":
Before prompting the user for their password, the module first
tries the previous stacked moduleĀ“s password in case that satisfies
this module as well.
"use_first_pass":
The argument use_first_pass forces the module to use a previous
stacked modules password and will never prompt the user - if no
password is available or the password is not appropriate, the user
will be denied access.
"url": specify the URL template to use, this is set by calling
yubikey_client_set_url_template, which uses by default:
http://api.yubico.com/wsapi/verify?id=%d&otp=%s
"ldapserver": specifiy the ldap server host (default ldap port is used).
"ldapdn": specify the dn where the users are stored
(eg: ou=users,dc=domain,dc=com).
"user_attr": specify the attribute used to store usernames (eg:cn).
"yubi_attr": specify the attribute used to store the yubikey id.If you are using "debug" you may find it useful to create a world-writable log file: touch /var/run/pam-debug.log chmod go+w /var/run/pam-debug.log ExamplesIf you want to use the Yubikey to authenticate you on linux console logins, add the following to the top of /etc/pam.d/login: auth sufficient pam_yubico.so id=16 debug FeedbackIf you want to discuss anything related to the Yubico PAM module, please contact Simon Josefsson <simon@yubico.com>. |
Sign in to add a comment
This also works for ssh on debian etch at least
Follow exact same instructions but add "auth sufficient pam_yubico.so id=16 debug" to /etc/pam.d/ssh at the top!! and the edit /etc/ssh/sshd_config and make sure that...
ChallengeResponseAuthentication? yes UsePAM yes Not required but good pratice PermitRootLogin? no
timm
Only problem with that simple ssh config is that that should let anyone with a Yubikey access to any account?
This is very true and it is one of the issues, in the issues list; support for multiple users and support for multifactor authentication.
But currently you are correct anyone with a Yubikey can logon using this PAM module.
I think this should work just like key authentication in ssh. You simply add the user's unique yubikey ID (first 12 chars) to an authorized_yubikeys file within the user's ~/.ssh directory.
I second that. It's a proven solution.
You should add the following parameter:
"authfile": specify a system-wide user / key lookup file.