| Yubico Forum https://forum.yubico.com/ |
|
| yubico-pam patch https://forum.yubico.com/viewtopic.php?f=3&t=295 |
Page 1 of 1 |
| Author: | fergus [ Mon Mar 16, 2009 10:30 pm ] |
| Post subject: | yubico-pam patch |
Can anyone help me get in touch with the maintainer of the yubico-pam module? I am working on some changes and would like to get them integrated into the official release. In the mean time, i'll post the patch against version 1.11 here for others to try and provide feedback. These modifications change some of the assumptions made with the official code. 1) Only one option is valid on the pam module line: conf=somefile. This update assumes a default location of /etc/yubico-pam.conf but this can be overridden with the above argument. yubico-pam.conf is a simple configuration file with option=value entries. An example is provided with the patch. 2) Yubikey IDs are no longer looked up either in a system auth file or a user auth file but both. Three possible locations can contain Yubikey IDs: LDAP, user auth file, system auth file. All three sources are searched in said order and all possible keys are accumulated for the user attempting to login. When the OTP is extracted from the entered password the key is checked against all possible options. This results in a minor change to the .yubico/authorized_keys format. Its no longer 'user:id:id' but just 'id:id' or simply 'id'. No need for the username. The default system authfile is now /etc/yubico-pam.auth but can be overridden in the config file. 3) A new configuration option 'require' is available if you want to require all users to have a yubikey. If this is not set and a user doesn't have a yubikey id associated with their user id, the yubico-pam module will return success and pass control to the next pam module. 4) Extra checks against the given password/OTP are used to prevent segfaults due to bad memory accesses. Notes: This patch also contains the 64-bit changes also available in this forum I have tested all the features except LDAP but they should work. If you run into issues please post feedback and I'll try to fix them. http://yubico-squirrelmail-plugin.googlecode.com/files/yubico-pam-1.11-updates3.patch |
|
| Author: | network-marvels [ Wed Mar 18, 2009 11:29 am ] |
| Post subject: | Re: yubico-pam patch |
Thank you for updating the PAM module ! Yubico team will review the modifications and will integrate them with the next release of the official PAM Module. |
|
| Author: | fergus [ Wed Mar 18, 2009 2:32 pm ] |
| Post subject: | Re: yubico-pam patch |
I was also contacted by Simon via email. He had a few suggestions so I will try and update them today and send out a new patch. |
|
| Author: | fergus [ Sun Mar 22, 2009 3:12 pm ] |
| Post subject: | Re: yubico-pam patch |
Here is an updated patch. The pam command line options are back, but the names have changed to match the new configuration file. Any feedback would be appreciated. This also incorporates the new LDAP changes submitted by tpohl. http://yubico-squirrelmail-plugin.googlecode.com/files/yubico-pam-1.11-updates5.patch |
|
| Page 1 of 1 | All times are UTC + 1 hour |
| Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |
|