Yubico Forum
https://forum.yubico.com/

Offline PAM for the Yubikey
https://forum.yubico.com/viewtopic.php?f=8&t=159
Page 2 of 4

Author:  firnsy [ Wed Sep 03, 2008 4:51 am ]
Post subject:  Re: Offline PAM for the Yubikey

@Klaus
Sincere apologies for not fully comprehending your original question ... Take 2

Your question raised a very good point in that even with the AES key you also need to know your UID which if you don't have some tool to decode one of your Yubikey OTP's becomes somewhat difficult. Thus I pushed out an update last night (1.0.1) which adds a simpler method for adding pre-existing Yubikey's to the database.

In order to add your Yubikey as of 1.0.1, you can now get away with just a generated OTP and the corresponding AESKEY. This would be invoked as:
Code:
ykpasswd -k secret -o OTP

Where the OTP is that generated by the Yubikey. You can also add the Yubikey, provided you have sufficient privileges, for an alterative user (eg. joe.smith) by adding the "-u" flag as follows:
Code:
ykpasswd -u joe.smith -k secret -o OTP

Let me know how you go :)


@ Simon
I too believe that these projects would be great merged under the same umbrella. I'm am keen to hear (read) thoughts on a way ahead to merge these two projects into an uber Yubikey PAM module.

Author:  kseistrup [ Fri Sep 05, 2008 3:16 pm ]
Post subject:  Re: Offline PAM for the Yubikey

firnsy wrote:
In order to add your Yubikey as of 1.0.1, you can now get away with just a generated OTP and the corresponding AESKEY. This would be invoked as:
Code:
ykpasswd -k secret -o OTP
   […]
Let me know how you go :)

Thanks for your help. Everything works as expected now, and I have been able to use a YubiKey generated OTP for logging into a local, PAM controlled service. :)

Cheers,
Klaus

Author:  firnsy [ Mon Sep 08, 2008 2:13 am ]
Post subject:  Re: Offline PAM for the Yubikey

Excellent!

Version 1.0.2 will be released very soon which will ensure it will behave when stacked with other modules (identified by gorkab) along with some well needed cleaning up of the code :)

With the code base stabilising, future improvements will be focused towards the administration of database. Such as the updating and reprogramming of yubikey's from a centralised tool.

If you have any features/improvements that you would like added then just let me know.

Author:  gorkab [ Tue Sep 23, 2008 9:39 pm ]
Post subject:  Re: Offline PAM for the Yubikey

i haven't had a chance to debug anything, but is anyone else having trouble using this pam module in a stack with the gnome-screensaver?

this module works fine in GDM in a stack with the regular unix login as a second factor, it *should* be ok for the screensaver too, but it doesn't appear to be happy.

Author:  firnsy [ Wed Sep 24, 2008 2:02 am ]
Post subject:  Re: Offline PAM for the Yubikey

G'day gorkab,

I've been working on integrating a patch this week for that very thing, I have it all working and authenticating just nicely, but am just cleaning up some documentation supporting the fixes.

It will be released in the next 48 hours, and I'll update the post of changes.

Author:  gorkab [ Tue Oct 07, 2008 5:04 pm ]
Post subject:  Re: Offline PAM for the Yubikey

in case anyone is following along, this pam module now works for unlocking screensaver modules.

Author:  bmorgenthaler [ Thu Jan 29, 2009 8:16 pm ]
Post subject:  Re: Offline PAM for the Yubikey

Using this for offline authentication to my laptop and loving it. I wanted to set it up to also lock my workstation when my yubikey wasn't present so I set that up. I wrote up a small how to over in another section, here's the link viewtopic.php?f=11&t=246

Author:  BIgV [ Thu Feb 12, 2009 4:27 pm ]
Post subject:  Re: Offline PAM for the Yubikey

The link for this project appears to be broken.

Author:  BIgV [ Thu Feb 12, 2009 6:17 pm ]
Post subject:  Re: Offline PAM for the Yubikey

I found the package for 1.0.4.

I installed the setup for kicking in the screensaver when unplugged and that worked fine. I just changed my /etc/pam.d/gnome-screensaver file to read:

@include common-auth
auth optional pam_gnome_keyring.so
auth sufficient pam_yubikey.so

I then changed my /etc/pam.d/gdm to be as follows:

#%PAM-1.0
auth requisite pam_nologin.so
auth required pam_env.so readenv=1
auth required pam_env.so readenv=1 envfile=/etc/default/locale
@include common-auth
auth optional pam_gnome_keyring.so
auth sufficent pam_yubikey.so
@include common-account
session required pam_limits.so
@include common-session
session optional pam_gnome_keyring.so auto_start
@include common-password

and could not login. I kept getting an invalid key.

I'm running Ubuntu 8.10. Any ideas?

Author:  firnsy [ Fri Feb 13, 2009 7:54 am ]
Post subject:  Re: Offline PAM for the Yubikey

I take it you're unable to login from this point, however I use it for all services and not just gdm, or screensaver. I did this by placing

Code:
auth sufficient pam_yubikey.so


in /etc/pam.d/common-auth

Page 2 of 4 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/