Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 3:57 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 31 posts ]  Go to page Previous  1, 2, 3, 4  Next
Author Message
PostPosted: Wed Sep 03, 2008 4:51 am 
Offline
User avatar

Joined: Mon Jun 23, 2008 1:19 am
Posts: 12
@Klaus
Sincere apologies for not fully comprehending your original question ... Take 2

Your question raised a very good point in that even with the AES key you also need to know your UID which if you don't have some tool to decode one of your Yubikey OTP's becomes somewhat difficult. Thus I pushed out an update last night (1.0.1) which adds a simpler method for adding pre-existing Yubikey's to the database.

In order to add your Yubikey as of 1.0.1, you can now get away with just a generated OTP and the corresponding AESKEY. This would be invoked as:
Code:
ykpasswd -k secret -o OTP

Where the OTP is that generated by the Yubikey. You can also add the Yubikey, provided you have sufficient privileges, for an alterative user (eg. joe.smith) by adding the "-u" flag as follows:
Code:
ykpasswd -u joe.smith -k secret -o OTP

Let me know how you go :)


@ Simon
I too believe that these projects would be great merged under the same umbrella. I'm am keen to hear (read) thoughts on a way ahead to merge these two projects into an uber Yubikey PAM module.

_________________
http://www.securixlive.com/yubipam


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Fri Sep 05, 2008 3:16 pm 
Offline

Joined: Mon Aug 25, 2008 9:46 am
Posts: 9
firnsy wrote:
In order to add your Yubikey as of 1.0.1, you can now get away with just a generated OTP and the corresponding AESKEY. This would be invoked as:
Code:
ykpasswd -k secret -o OTP
   […]
Let me know how you go :)

Thanks for your help. Everything works as expected now, and I have been able to use a YubiKey generated OTP for logging into a local, PAM controlled service. :)

Cheers,
Klaus


Top
 Profile  
Reply with quote  
PostPosted: Mon Sep 08, 2008 2:13 am 
Offline
User avatar

Joined: Mon Jun 23, 2008 1:19 am
Posts: 12
Excellent!

Version 1.0.2 will be released very soon which will ensure it will behave when stacked with other modules (identified by gorkab) along with some well needed cleaning up of the code :)

With the code base stabilising, future improvements will be focused towards the administration of database. Such as the updating and reprogramming of yubikey's from a centralised tool.

If you have any features/improvements that you would like added then just let me know.

_________________
http://www.securixlive.com/yubipam


Top
 Profile  
Reply with quote  
PostPosted: Tue Sep 23, 2008 9:39 pm 
Offline

Joined: Sat Jul 05, 2008 9:21 pm
Posts: 10
i haven't had a chance to debug anything, but is anyone else having trouble using this pam module in a stack with the gnome-screensaver?

this module works fine in GDM in a stack with the regular unix login as a second factor, it *should* be ok for the screensaver too, but it doesn't appear to be happy.


Top
 Profile  
Reply with quote  
PostPosted: Wed Sep 24, 2008 2:02 am 
Offline
User avatar

Joined: Mon Jun 23, 2008 1:19 am
Posts: 12
G'day gorkab,

I've been working on integrating a patch this week for that very thing, I have it all working and authenticating just nicely, but am just cleaning up some documentation supporting the fixes.

It will be released in the next 48 hours, and I'll update the post of changes.

_________________
http://www.securixlive.com/yubipam


Top
 Profile  
Reply with quote  
PostPosted: Tue Oct 07, 2008 5:04 pm 
Offline

Joined: Sat Jul 05, 2008 9:21 pm
Posts: 10
in case anyone is following along, this pam module now works for unlocking screensaver modules.


Top
 Profile  
Reply with quote  
PostPosted: Thu Jan 29, 2009 8:16 pm 
Offline

Joined: Tue Nov 25, 2008 9:25 pm
Posts: 8
Using this for offline authentication to my laptop and loving it. I wanted to set it up to also lock my workstation when my yubikey wasn't present so I set that up. I wrote up a small how to over in another section, here's the link viewtopic.php?f=11&t=246


Top
 Profile  
Reply with quote  
PostPosted: Thu Feb 12, 2009 4:27 pm 
Offline

Joined: Tue Jan 27, 2009 4:00 pm
Posts: 5
The link for this project appears to be broken.


Top
 Profile  
Reply with quote  
PostPosted: Thu Feb 12, 2009 6:17 pm 
Offline

Joined: Tue Jan 27, 2009 4:00 pm
Posts: 5
I found the package for 1.0.4.

I installed the setup for kicking in the screensaver when unplugged and that worked fine. I just changed my /etc/pam.d/gnome-screensaver file to read:

@include common-auth
auth optional pam_gnome_keyring.so
auth sufficient pam_yubikey.so

I then changed my /etc/pam.d/gdm to be as follows:

#%PAM-1.0
auth requisite pam_nologin.so
auth required pam_env.so readenv=1
auth required pam_env.so readenv=1 envfile=/etc/default/locale
@include common-auth
auth optional pam_gnome_keyring.so
auth sufficent pam_yubikey.so
@include common-account
session required pam_limits.so
@include common-session
session optional pam_gnome_keyring.so auto_start
@include common-password

and could not login. I kept getting an invalid key.

I'm running Ubuntu 8.10. Any ideas?


Top
 Profile  
Reply with quote  
PostPosted: Fri Feb 13, 2009 7:54 am 
Offline
User avatar

Joined: Mon Jun 23, 2008 1:19 am
Posts: 12
I take it you're unable to login from this point, however I use it for all services and not just gdm, or screensaver. I did this by placing

Code:
auth sufficient pam_yubikey.so


in /etc/pam.d/common-auth

_________________
http://www.securixlive.com/yubipam


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 31 posts ]  Go to page Previous  1, 2, 3, 4  Next

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group