Yubico Forum

...visit our web-store at store.yubico.com
It is currently Fri Feb 23, 2018 7:05 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 3 posts ] 
Author Message
PostPosted: Thu Aug 25, 2011 5:01 am 
Offline

Joined: Thu Aug 25, 2011 4:29 am
Posts: 4
I'm enjoying my Yubikey very much. Perhaps, too much. I'm trying to use it for just about everything and I'm having trouble with one aspect of the yubico_pam module: secure communication with the yubico authentication server.

When specifying 'url=https://api.yubico.com/...' as shown in the documentation, a wide variety of errors result. Here is a short list:
Error 101: ykclient could not parse server response
SELinux error regarding NIS
SELinux error regarding writing to key4.db

I know, with OTP this isn't nearly as big a problem. But, I just cannot get over the idea that authentication traffic, whatever it's nature, is being sent in the clear.

(1) Is this the right place for yubico_pam questions?
(2) Is this a permanent problem that will always exist? Will there be a version of yubico_pam that is secure by default for all PAM services? It doesn't seem like this is actually possible.
(2.5) If not, what is best we can hope for?
(3) Should I create a local SELinux policy to allow these actions? Or, is it a rabbit hole? If I create a policy to allow write to key4.db, will another policy error pop up after that? Is it safe to allow SSHD to write to key4.db? I'd rather not enable any behavior globally.


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Wed Sep 07, 2011 10:39 am 
Offline
Site Admin
Site Admin

Joined: Tue May 06, 2008 7:22 pm
Posts: 151
PMouse wrote:
I'm enjoying my Yubikey very much. Perhaps, too much. I'm trying to use it for just about everything and I'm having trouble with one aspect of the yubico_pam module: secure communication with the yubico authentication server.

When specifying 'url=https://api.yubico.com/...' as shown in the documentation, a wide variety of errors result. Here is a short list:
Error 101: ykclient could not parse server response
SELinux error regarding NIS
SELinux error regarding writing to key4.db

I know, with OTP this isn't nearly as big a problem. But, I just cannot get over the idea that authentication traffic, whatever it's nature, is being sent in the clear.

(1) Is this the right place for yubico_pam questions?
(2) Is this a permanent problem that will always exist? Will there be a version of yubico_pam that is secure by default for all PAM services? It doesn't seem like this is actually possible.
(2.5) If not, what is best we can hope for?
(3) Should I create a local SELinux policy to allow these actions? Or, is it a rabbit hole? If I create a policy to allow write to key4.db, will another policy error pop up after that? Is it safe to allow SSHD to write to key4.db? I'd rather not enable any behavior globally.


Yubico-PAM supports either HTTPS mode (as you were trying to use) or HMAC-based mode, where you supply a shared symmetric key with the id/key parameters. In the latter case, communication will still not be encrypted, but it will be integrity protected so you can be sure that you are getting the right answer.

It sounds as if your issues are with SELinux and/or Curl being linked to NSS. Sounds like you are on some Fedora/RedHat system? I'm afraid that nobody has tried this combination, but we would appreciate if you figure out and followup this thread with instructions on how to get it working. HTTPS does work fine on Debian/Ubuntu systems, although I'm not sure it also works when SELinux is enabled.

Good luck!

/Simon


Top
 Profile  
Reply with quote  
PostPosted: Tue May 26, 2015 10:23 am 
Offline

Joined: Thu Aug 25, 2011 4:29 am
Posts: 4
I don't think this is an issue any more, but I did find that I could use HTTPS.

I followed other documentation and examples I found on-line to configure pam_yubico. This module takes several parameters and I use all of the following parameters:

id
authfile
key
url

Then, in the 'url' parameter, I just use 'https:' instead of http: protocol. I think that is all that is required. That's what I see now in my PAM configuration and it has been working since then.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 3 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 4 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group