Yubico Forum

@Klaus
Sincere apologies for not fully comprehending your original question ... Take 2

Your question raised a very good point in that even with the AES key you also need to know your UID which if you don't have some tool to decode one of your Yubikey OTP's becomes somewhat difficult. Thus I pushed out an update last night (1.0.1) which adds a simpler method for adding pre-existing Yubikey's to the database.

In order to add your Yubikey as of 1.0.1, you can now get away with just a generated OTP and the corresponding AESKEY. This would be invoked as:

Where the OTP is that generated by the Yubikey. You can also add the Yubikey, provided you have sufficient privileges, for an alterative user (eg. joe.smith) by adding the "-u" flag as follows:

Let me know how you go


@ Simon
I too believe that these projects would be great merged under the same umbrella. I'm am keen to hear (read) thoughts on a way ahead to merge these two projects into an uber Yubikey PAM module.

_________________
http://www.securixlive.com/yubipam

Thanks for your help. Everything works as expected now, and I have been able to use a YubiKey generated OTP for logging into a local, PAM controlled service.

Cheers,
Klaus

Excellent!

Version 1.0.2 will be released very soon which will ensure it will behave when stacked with other modules (identified by gorkab) along with some well needed cleaning up of the code

With the code base stabilising, future improvements will be focused towards the administration of database. Such as the updating and reprogramming of yubikey's from a centralised tool.

If you have any features/improvements that you would like added then just let me know.

_________________
http://www.securixlive.com/yubipam

i haven't had a chance to debug anything, but is anyone else having trouble using this pam module in a stack with the gnome-screensaver?

this module works fine in GDM in a stack with the regular unix login as a second factor, it *should* be ok for the screensaver too, but it doesn't appear to be happy.

G'day gorkab,

I've been working on integrating a patch this week for that very thing, I have it all working and authenticating just nicely, but am just cleaning up some documentation supporting the fixes.

It will be released in the next 48 hours, and I'll update the post of changes.

_________________
http://www.securixlive.com/yubipam

in case anyone is following along, this pam module now works for unlocking screensaver modules.

Using this for offline authentication to my laptop and loving it. I wanted to set it up to also lock my workstation when my yubikey wasn't present so I set that up. I wrote up a small how to over in another section, here's the link viewtopic.php?f=11&t=246

The link for this project appears to be broken.

I found the package for 1.0.4.

I installed the setup for kicking in the screensaver when unplugged and that worked fine. I just changed my /etc/pam.d/gnome-screensaver file to read:

@include common-auth
auth optional pam_gnome_keyring.so
auth sufficient pam_yubikey.so

I then changed my /etc/pam.d/gdm to be as follows:

#%PAM-1.0
auth requisite pam_nologin.so
auth required pam_env.so readenv=1
auth required pam_env.so readenv=1 envfile=/etc/default/locale
@include common-auth
auth optional pam_gnome_keyring.so
auth sufficent pam_yubikey.so
@include common-account
session required pam_limits.so
@include common-session
session optional pam_gnome_keyring.so auto_start
@include common-password

and could not login. I kept getting an invalid key.

I'm running Ubuntu 8.10. Any ideas?

I take it you're unable to login from this point, however I use it for all services and not just gdm, or screensaver. I did this by placing



in /etc/pam.d/common-auth

_________________
http://www.securixlive.com/yubipam