Yubico Forum https://forum.yubico.com/ |
|
yubico_pam: secure communication with authentication server https://forum.yubico.com/viewtopic.php?f=4&t=703 |
Page 1 of 1 |
Author: | PMouse [ Thu Aug 25, 2011 5:01 am ] |
Post subject: | yubico_pam: secure communication with authentication server |
I'm enjoying my Yubikey very much. Perhaps, too much. I'm trying to use it for just about everything and I'm having trouble with one aspect of the yubico_pam module: secure communication with the yubico authentication server. When specifying 'url=https://api.yubico.com/...' as shown in the documentation, a wide variety of errors result. Here is a short list: Error 101: ykclient could not parse server response SELinux error regarding NIS SELinux error regarding writing to key4.db I know, with OTP this isn't nearly as big a problem. But, I just cannot get over the idea that authentication traffic, whatever it's nature, is being sent in the clear. (1) Is this the right place for yubico_pam questions? (2) Is this a permanent problem that will always exist? Will there be a version of yubico_pam that is secure by default for all PAM services? It doesn't seem like this is actually possible. (2.5) If not, what is best we can hope for? (3) Should I create a local SELinux policy to allow these actions? Or, is it a rabbit hole? If I create a policy to allow write to key4.db, will another policy error pop up after that? Is it safe to allow SSHD to write to key4.db? I'd rather not enable any behavior globally. |
Author: | Simon [ Wed Sep 07, 2011 10:39 am ] |
Post subject: | Re: yubico_pam: secure communication with authentication ser |
PMouse wrote: I'm enjoying my Yubikey very much. Perhaps, too much. I'm trying to use it for just about everything and I'm having trouble with one aspect of the yubico_pam module: secure communication with the yubico authentication server. When specifying 'url=https://api.yubico.com/...' as shown in the documentation, a wide variety of errors result. Here is a short list: Error 101: ykclient could not parse server response SELinux error regarding NIS SELinux error regarding writing to key4.db I know, with OTP this isn't nearly as big a problem. But, I just cannot get over the idea that authentication traffic, whatever it's nature, is being sent in the clear. (1) Is this the right place for yubico_pam questions? (2) Is this a permanent problem that will always exist? Will there be a version of yubico_pam that is secure by default for all PAM services? It doesn't seem like this is actually possible. (2.5) If not, what is best we can hope for? (3) Should I create a local SELinux policy to allow these actions? Or, is it a rabbit hole? If I create a policy to allow write to key4.db, will another policy error pop up after that? Is it safe to allow SSHD to write to key4.db? I'd rather not enable any behavior globally. Yubico-PAM supports either HTTPS mode (as you were trying to use) or HMAC-based mode, where you supply a shared symmetric key with the id/key parameters. In the latter case, communication will still not be encrypted, but it will be integrity protected so you can be sure that you are getting the right answer. It sounds as if your issues are with SELinux and/or Curl being linked to NSS. Sounds like you are on some Fedora/RedHat system? I'm afraid that nobody has tried this combination, but we would appreciate if you figure out and followup this thread with instructions on how to get it working. HTTPS does work fine on Debian/Ubuntu systems, although I'm not sure it also works when SELinux is enabled. Good luck! /Simon |
Author: | PMouse [ Tue May 26, 2015 10:23 am ] |
Post subject: | Re: yubico_pam: secure communication with authentication ser |
I don't think this is an issue any more, but I did find that I could use HTTPS. I followed other documentation and examples I found on-line to configure pam_yubico. This module takes several parameters and I use all of the following parameters: id authfile key url Then, in the 'url' parameter, I just use 'https:' instead of http: protocol. I think that is all that is required. That's what I see now in my PAM configuration and it has been working since then. |
Page 1 of 1 | All times are UTC + 1 hour |
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |