Yubico Forum

The Yubico PAM Module seems to require changes to the PAM stack for each user that will be authenticated with a YubiKey. Specifically, it seems that each user's client identity must be added to the right PAM configuration file before the user can be authenticated.

While it makes sense to add authorized keys to an authentication database such as /etc/yubikey_mappings or ~/.yubico/authorized_yubikeys, it seems like a bad practice to have to edit the PAM stack itself for each individual user. I would definitely like to avoid having to hard-code user identities into the PAM stack this way.

So, is it possible to avoid hard-coding the id parameter to the pam_yubico.so module itself? If not, are there any other PAM modules that can leverage YubiKey authentication without hard-coding the stack?

The id parameter to the PAM module indicates the API key ID, not the user ID. This ID is returned with the key you get from the "Get API Key" form if you're using the public service, or it's in the "clients" table for your internal validation server, along with the API key.

To clarify, when documentation talks about a "client", that's a piece of software requesting authentication services from the API -- a user submits an OTP to the client, which submits it to the server in a request signed with the API key.