Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 3:32 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 4 posts ] 
Author Message
 Post subject: yubico-pam patch
PostPosted: Mon Mar 16, 2009 10:30 pm 
Offline
User avatar

Joined: Wed Feb 04, 2009 2:08 am
Posts: 16
Can anyone help me get in touch with the maintainer of the yubico-pam module? I am working on some changes and would like to get them integrated into the official release. In the mean time, i'll post the patch against version 1.11 here for others to try and provide feedback.

These modifications change some of the assumptions made with the official code.

1) Only one option is valid on the pam module line: conf=somefile. This update assumes a default location of /etc/yubico-pam.conf but this can be overridden with the above argument. yubico-pam.conf is a simple configuration file with option=value entries. An example is provided with the patch.

2) Yubikey IDs are no longer looked up either in a system auth file or a user auth file but both. Three possible locations can contain Yubikey IDs: LDAP, user auth file, system auth file. All three sources are searched in said order and all possible keys are accumulated for the user attempting to login. When the OTP is extracted from the entered password the key is checked against all possible options. This results in a minor change to the .yubico/authorized_keys format. Its no longer 'user:id:id' but just 'id:id' or simply 'id'. No need for the username. The default system authfile is now /etc/yubico-pam.auth but can be overridden in the config file.

3) A new configuration option 'require' is available if you want to require all users to have a yubikey. If this is not set and a user doesn't have a yubikey id associated with their user id, the yubico-pam module will return success and pass control to the next pam module.

4) Extra checks against the given password/OTP are used to prevent segfaults due to bad memory accesses.

Notes: This patch also contains the 64-bit changes also available in this forum

I have tested all the features except LDAP but they should work. If you run into issues please post feedback and I'll try to fix them.

http://yubico-squirrelmail-plugin.googlecode.com/files/yubico-pam-1.11-updates3.patch

_________________
richard


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

 Post subject: Re: yubico-pam patch
PostPosted: Wed Mar 18, 2009 11:29 am 
Offline
Yubico Team
Yubico Team

Joined: Wed Oct 01, 2008 8:11 am
Posts: 210
Thank you for updating the PAM module !

Yubico team will review the modifications and will integrate them with the next release of the official PAM Module.


Last edited by network-marvels on Wed Mar 18, 2009 2:51 pm, edited 1 time in total.

Top
 Profile  
Reply with quote  
 Post subject: Re: yubico-pam patch
PostPosted: Wed Mar 18, 2009 2:32 pm 
Offline
User avatar

Joined: Wed Feb 04, 2009 2:08 am
Posts: 16
I was also contacted by Simon via email. He had a few suggestions so I will try and update them today and send out a new patch.

_________________
richard


Top
 Profile  
Reply with quote  
 Post subject: Re: yubico-pam patch
PostPosted: Sun Mar 22, 2009 3:12 pm 
Offline
User avatar

Joined: Wed Feb 04, 2009 2:08 am
Posts: 16
Here is an updated patch. The pam command line options are back, but the names have changed to match the new configuration file. Any feedback would be appreciated.

This also incorporates the new LDAP changes submitted by tpohl.

http://yubico-squirrelmail-plugin.googlecode.com/files/yubico-pam-1.11-updates5.patch

_________________
richard


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group