Yubico Forum

Hello,

I use yubico-pam in challenge-response mode for local logins on Linux. Yubico-pam uses libyubikey (yubico-c) to access the key.

Now I've got an ACR122 USB NFC reader. Having installed pcscd, I got the openpgp functionality of the Neo working over NFC right out of the box.

However, apparently libyubikey does not know that the key can be reached via pcsc as an alternative to USB, so the PAM module cannot access the key over NFC (and probably ykpersonalize and friends won't work either).

Am I missing something? Or this functionality indeed isn't implemented? If the latter, what is the "official position" (plans, recommendations) on this matter? I might be able to make it work and submit patches to yubico-c (or yubico-pam?) but I'd rather first listen what the staff/others have to say.

Thank you,

Eugene

Hello!

From Yubico's side we have no plans to implement something like this, but I'll describe a way this could be implemented (in a way that we'd be happy to merge back)..

First a bit of background, the two library components that we're talking about here is:
* libyubikey: software to do modhex encode/decode and decrypt OTP
* libykpers: software for actually talking with/programing a YubiKey

It should be possible to add a pcsc backend to libykpers (along the lines of https://github.com/Yubico/yubikey-perso ... ore_stub.c). In the current implementation backends are only selected at compile-time (as they're right now mutually-exclusive), to actually be usable this would have to be extended to a runtime selectable interface where the pam module could request which backend to use.

/klas

Thanks for the explanation Klas. I'll see what I can do here.