PMouse wrote:
I'm enjoying my Yubikey very much. Perhaps, too much. I'm trying to use it for just about everything and I'm having trouble with one aspect of the yubico_pam module: secure communication with the yubico authentication server.
When specifying 'url=https://api.yubico.com/...' as shown in the documentation, a wide variety of errors result. Here is a short list:
Error 101: ykclient could not parse server response
SELinux error regarding NIS
SELinux error regarding writing to key4.db
I know, with OTP this isn't nearly as big a problem. But, I just cannot get over the idea that authentication traffic, whatever it's nature, is being sent in the clear.
(1) Is this the right place for yubico_pam questions?
(2) Is this a permanent problem that will always exist? Will there be a version of yubico_pam that is secure by default for all PAM services? It doesn't seem like this is actually possible.
(2.5) If not, what is best we can hope for?
(3) Should I create a local SELinux policy to allow these actions? Or, is it a rabbit hole? If I create a policy to allow write to key4.db, will another policy error pop up after that? Is it safe to allow SSHD to write to key4.db? I'd rather not enable any behavior globally.
Yubico-PAM supports either HTTPS mode (as you were trying to use) or HMAC-based mode, where you supply a shared symmetric key with the id/key parameters. In the latter case, communication will still not be encrypted, but it will be integrity protected so you can be sure that you are getting the right answer.
It sounds as if your issues are with SELinux and/or Curl being linked to NSS. Sounds like you are on some Fedora/RedHat system? I'm afraid that nobody has tried this combination, but we would appreciate if you figure out and followup this thread with instructions on how to get it working. HTTPS does work fine on Debian/Ubuntu systems, although I'm not sure it also works when SELinux is enabled.
Good luck!
/Simon
Login
FAQ
Search
