Can anyone help me get in touch with the maintainer of the yubico-pam module? I am working on some changes and would like to get them integrated into the official release. In the mean time, i'll post the patch against version 1.11 here for others to try and provide feedback.
These modifications change some of the assumptions made with the official code.
1) Only one option is valid on the pam module line: conf=somefile. This update assumes a default location of /etc/yubico-pam.conf but this can be overridden with the above argument. yubico-pam.conf is a simple configuration file with option=value entries. An example is provided with the patch.
2) Yubikey IDs are no longer looked up either in a system auth file or a user auth file but both. Three possible locations can contain Yubikey IDs: LDAP, user auth file, system auth file. All three sources are searched in said order and all possible keys are accumulated for the user attempting to login. When the OTP is extracted from the entered password the key is checked against all possible options. This results in a minor change to the .yubico/authorized_keys format. Its no longer 'user:id:id' but just 'id:id' or simply 'id'. No need for the username. The default system authfile is now /etc/yubico-pam.auth but can be overridden in the config file.
3) A new configuration option 'require' is available if you want to require all users to have a yubikey. If this is not set and a user doesn't have a yubikey id associated with their user id, the yubico-pam module will return success and pass control to the next pam module.
4) Extra checks against the given password/OTP are used to prevent segfaults due to bad memory accesses.
Notes: This patch also contains the 64-bit changes also available in this forum
I have tested all the features except LDAP but they should work. If you run into issues please post feedback and I'll try to fix them.
http://yubico-squirrelmail-plugin.googlecode.com/files/yubico-pam-1.11-updates3.patch
Login
FAQ
Search
