|
ReadMe
Yubico PAM moduleThe Yubico PAM module provides an easy way to integrate the Yubikey into your existing user authentication infrastructure. PAM is used by GNU/Linux, Solaris and Mac OS X for user authentication, and by other specialized applications such as NCSA MyProxy. Status and RoadmapThe module is working for multi-user systems. It does not support disconnected mode, for that there is another Yubico PAM module that uses the AES key. The development community is co-ordinated via Google Code: http://code.google.com/p/yubico-pam/ The license for pam_yubico is the 2-clause BSD license, which is compatible with the Linux-PAM BSD/GPL license. See the file COPYING for more information. Building from SVNSkip to the next section if you are using an official packaged version. You may check out the sources using SVN with the following command: svn checkout http://yubico-pam.googlecode.com/svn/trunk/ yubico-pam This will create a directory 'yubico-pam'. Enter the directory: cd yubico-pam Autoconf, automake and libtool must be installed. Generate the build system using: autoreconf --install BuildingYou will need to have libykclient (ykclient.h, libykclient.so) and libpam-dev (security/pam_appl.h, libpam.so) installed. Get the ykclient library from: http://code.google.com/p/yubico-c-client/ It in turn requires Curl, which you need to have installed. The build system uses Autoconf, to set up the build system run: ./configure Use --without-ldap to disable ldap support. Then build the code, run the self-test and install the binaries: make check install ConfigurationInstall it in your PAM setup by adding a line to an appropriate file in /etc/pam.d/: auth sufficient pam_yubico.so id=16 debug and move pam_yubico.so into /lib/security/: mv /usr/local/lib/security/pam_yubico.so /lib/security/ For more information, see the project Wiki page. Supported PAM module parameters are: "authfile": to indicate the location of the file that holds the
mappings of yubikey token IDs to user names.
"id": to indicate your client identity.
"key": to indicate your client key in base64 format.
"debug": to enable debug output to stdout.
"alwaysok": to enable all authentication attempts to succeed
(aka presentation mode).
"try_first_pass":
Before prompting the user for their password, the module first
tries the previous stacked module´s password in case that satisfies
this module as well.
"use_first_pass":
The argument use_first_pass forces the module to use a previous
stacked modules password and will never prompt the user - if no
password is available or the password is not appropriate, the user
will be denied access.
"url": specify the URL template to use, this is set by calling
yubikey_client_set_url_template, which defaults to:
http://api.yubico.com/wsapi/verify?id=%d&otp=%s
"verbose_otp":
This argument is used to show the OTP when it is entered,
i.e. to enable terminal echo of entered characters.
You are advised to not use this, if you are using two factor
authentication because that will display your password on the
screen.
This requires the service using the PAM module to
display custom fields. For example, OpenSSH requires
you to configure "ChallengeResponseAuthentication no".
"ldap_uri": specify the LDAP server URI (e.g. ldap://localhost).
"ldapserver": specify the LDAP server host (default LDAP port is used).
Deprecated. Use "ldap_uri" instead.
"ldapdn": specify the dn where the users are stored
(eg: ou=users,dc=domain,dc=com).
"user_attr": specify the LDAP attribute used to store user names (eg:cn).
"yubi_attr": specify the LDAP attribute used to store the yubikey id.If you are using "debug" you may find it useful to create a world-writable log file: touch /var/run/pam-debug.log chmod go+w /var/run/pam-debug.log Authorization Mapping FilesA mapping must be made between the yubikey token ID and the user ID it is attached to. There are two ways to do this, either centrally in one file, or individually, where users can create the mapping in their home directories. If the central authorization mapping file is being used, user home directory mappings will not be used and the opposite applies if user home directory mappings are being used, the central authorization mappings file will not be used. CentrallyCreate a /etc/yubikey_mappings, the file must contain a user name and the yubikey token ID separated by colons (same format as the passwd file) for each user you want to allow onto the system using a yubikey. The mappings should look like this, one per line: <user name>:<yubikey token ID>:<yubikey token ID>:…. <user name>:<yubikey token ID>:<yubikey token ID>:…. Now add authfile=/etc/yubikey_mappings to your PAM configuration line, so it looks like: auth sufficient pam_yubico.so id=16 authfile=/etc/yubikey_mappings Individual, by userEach user creates a ~/.yubico/authorized_yubikeys file inside of their home directory and places the mapping in that file, the file must have only one line: <user name>:<yubikey token ID>:<yubikey token ID> This is much the same concept as the SSH authorized_keys file. Obtaining the yubikey token IDYou can obtain the yubikey token ID in two places, one is by capturing the the first twelve digits of any OTP generated with your yubikey, the other is by using the modhex calculator located here: http://radius.yubico.com/demo/Modhex_Calculator.php Enter your yubikey OTP and convert it, your yubikey token ID is 12 digits and listed as: Modhex encoded: XXXXXXX ExamplesIf you want to use the Yubikey to authenticate you on linux console logins, add the following to the top of /etc/pam.d/login: auth sufficient pam_yubico.so id=16 debug FeedbackIf you want to discuss anything related to the Yubico PAM module, please contact Simon Josefsson <simon@yubico.com>. |
► Sign in to add a comment
This also works for ssh on debian etch at least
Follow exact same instructions but add "auth sufficient pam_yubico.so id=16 debug" to /etc/pam.d/ssh at the top!! and the edit /etc/ssh/sshd_config and make sure that...
ChallengeResponseAuthentication? yes UsePAM yes Not required but good pratice PermitRootLogin? no
timm
Only problem with that simple ssh config is that that should let anyone with a Yubikey access to any account?
This is very true and it is one of the issues, in the issues list; support for multiple users and support for multifactor authentication.
But currently you are correct anyone with a Yubikey can logon using this PAM module.
I think this should work just like key authentication in ssh. You simply add the user's unique yubikey ID (first 12 chars) to an authorized_yubikeys file within the user's ~/.ssh directory.
I second that. It's a proven solution.
You should add the following parameter:
"authfile": specify a system-wide user / key lookup file.
I can't complete the autoreconf --install step... Here's my output:
Can't exec "libtoolize": No such file or directory at /usr/bin/autoreconf line 190. Use of uninitialized value $libtoolize in pattern match (m//) at /usr/bin/autoreconf line 190. configure.ac:34: error: possibly undefined macro: AC_LIBTOOL_WIN32_DLL
configure.ac:35: error: possibly undefined macro: AC_DISABLE_STATIC configure.ac:36: error: possibly undefined macro: AC_PROG_LIBTOOL autoreconf: /usr/bin/autoconf failed with exit status: 1Help?
sudo apt-get install libtool
not working...please help...I get:
Aug 24 11:49:11 mtc4 kernel: ratelimit: 6 callbacks suppressed Aug 24 11:49:11 mtc4 kernel: sshd12167?: segfault at 40000500 ip b7311733 sp bfa7b8b8 error 4 in libc-2.9.so[b729e000+155000] Aug 24 11:52:00 mtc4 test: PAM pam_get_user: NULL pam handle passed Aug 24 11:52:00 mtc4 test: PAM pam_set_data: NULL pam handle passed Aug 24 11:55:26 mtc4 sshd12864?: fatal: buffer_put_cstring: s == NULL Aug 24 11:55:26 mtc4 kernel: sshd12878?: segfault at 40000500 ip b7180733 sp bfa58148 error 4 in libc-2.9.so[b710d000+155000] Aug 24 12:04:39 mtc4 kernel: sshd13804?: segfault at 40000500 ip b71d3733 sp bfd20f68 error 4 in libc-2.9.so[b7160000+155000]
And the debug log says:
[pam_yubico.c:parse_cfg(402)] [pam_yubico.c:parse_cfg(397)] called. [pam_yubico.c:parse_cfg(398)] flags 1 argc 3 [pam_yubico.c:parse_cfg(400)] argv0?=id=16 [pam_yubico.c:parse_cfg(400)] argv1?=authfile=/etc/yubikey [pam_yubico.c:parse_cfg(400)] argv2?=debug [pam_yubico.c:parse_cfg(401)] id=16
pam.d/login contains:
auth required pam_yubico.so id=16 authfile=/etc/yubikey debug
I have tried with "sufficient" and "requisite". Same result.
/etc/yubikey contains:
jbarwick:cccccccbnvcrnvurhegbltrlvfvhldkvikjdltdflkeg:cccccccbnvcrhbhgjchkkekijflgihulhjbfrcedltig
Any clues would be greatly appreciated.
Oh, one more question. What is the "id=16"?? Yes, I can RTFM, so I will ask another question, "What is a client id?"
Anyone know if url= actually works? It crashes if I don't escape the %'s and it actually requests %s (not the otp) when I escape the %
Individual, by user scheme two user(root and common) sharing one yubikey root works but common doesn't. echo user created its own authorized_yubikeys file.
What could be the problem?
Client ID sure could be better documented. See here for a start: http://forum.yubico.com/viewtopic.php?f=6&t=191&start=10
Important security notice
In order to use the secure communication to the yubico api you must use the key option. Ex: key= id=<yourClientId> authfile=<yourOtpMappingFile> key=<yourApiKey>
This will use HMAC function to authenticate the client request and the server response in a secure fashion.
You can find your client id and associated api key at https://upgrade.yubico.com/getapikey/
The documentation should be updated to reflect this.