Skip to content

Commit

Permalink
Merge branch 'pr-154'
Browse files Browse the repository at this point in the history
  • Loading branch information
klali committed May 3, 2018
2 parents e0ef089 + 320f487 commit fa3833b
Show file tree
Hide file tree
Showing 12 changed files with 51 additions and 51 deletions.
2 changes: 1 addition & 1 deletion Makefile.am
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,7 @@ dist_man8_MANS = pam_yubico.8
DISTCLEANFILES = $(dist_man1_MANS) $(dist_man8_MANS)

MANSOURCES = pam_yubico.8.txt ykpamcfg.1.txt
EXTRA_DIST = doc/Authentication_Using_Challenge-Response.adoc doc/MacOS_X_Challenge-Response.adoc doc/Two_Factor_PAM_Configuration.adoc doc/Ubuntu_FreeRadius_YubiKey.adoc doc/YubiKey_and_FreeRADIUS_1FA_via_PAM.adoc doc/YubiKey_and_FreeRADIUS_via_PAM.adoc doc/YubiKey_and_OpenVPN_via_PAM.adoc doc/Yubikey_and_Radius_via_PAM.adoc doc/Yubikey_and_SELinux_on_Fedora_18_and_up.adoc doc/Yubikey_and_SSH_via_PAM.adoc
EXTRA_DIST = doc/Authentication_Using_Challenge-Response.adoc doc/MacOS_X_Challenge-Response.adoc doc/Two_Factor_PAM_Configuration.adoc doc/Ubuntu_FreeRadius_YubiKey.adoc doc/YubiKey_and_FreeRADIUS_1FA_via_PAM.adoc doc/YubiKey_and_FreeRADIUS_via_PAM.adoc doc/YubiKey_and_OpenVPN_via_PAM.adoc doc/YubiKey_and_Radius_via_PAM.adoc doc/YubiKey_and_SELinux_on_Fedora_18_and_up.adoc doc/YubiKey_and_SSH_via_PAM.adoc
EXTRA_DIST += $(MANSOURCES)
EXTRA_DIST += tests/aux/ykval.pl tests/aux/ldap.pl tests/aux/authfile

Expand Down
2 changes: 1 addition & 1 deletion NEWS
Original file line number Diff line number Diff line change
Expand Up @@ -268,7 +268,7 @@ forum.yubico.com.
They work similar to other PAM modules, see README for more
documentation.

Upgrade notice: If you are relying on getting the Yubikey OTP from an
Upgrade notice: If you are relying on getting the YubiKey OTP from an
earlier PAM module, and no prompting by the pam_yubico module, you
need to add "try_first_pass" to preserve the same behaviour.

Expand Down
28 changes: 14 additions & 14 deletions README
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
== Yubico PAM module
image:https://travis-ci.org/Yubico/yubico-pam.svg?branch=master["Build Status", link="https://travis-ci.org/Yubico/yubico-pam"]

The Yubico PAM module provides an easy way to integrate the Yubikey
The Yubico PAM module provides an easy way to integrate the YubiKey
into your existing user authentication infrastructure. PAM is used by
GNU/Linux, Solaris and Mac OS X for user authentication, and by other
specialized applications such as NCSA MyProxy.
Expand Down Expand Up @@ -136,7 +136,7 @@ Supported PAM module parameters are:
[horizontal]
authfile::
To indicate the location of the file that holds the
mappings of Yubikey token IDs to user names.
mappings of YubiKey token IDs to user names.

id::
Your API Client ID in the Yubico validation server.
Expand Down Expand Up @@ -239,7 +239,7 @@ CA certifcate file for the LDAP connection.

user_attr:: specify the LDAP attribute used to store user names (eg:cn).

yubi_attr:: specify the LDAP attribute used to store the Yubikey ID.
yubi_attr:: specify the LDAP attribute used to store the YubiKey ID.

yubi_attr_prefix::
specify the prefix of the LDAP attribute's value, in case
Expand Down Expand Up @@ -287,13 +287,13 @@ be used.

=== Central authorization mapping
Create a `/etc/yubikey_mappings`, the file must contain a user name and the
Yubikey token ID separated by colons (same format as the passwd file) for
each user you want to allow onto the system using a Yubikey.
YubiKey token ID separated by colons (same format as the passwd file) for
each user you want to allow onto the system using a YubiKey.

The mappings should look like this, one per line:

<first user name>:<Yubikey token ID1>:<Yubikey token ID2>:….
<second user name>:<Yubikey token ID3>:<Yubikey token ID4>:….
<first user name>:<YubiKey token ID1>:<YubiKey token ID2>:….
<second user name>:<YubiKey token ID3>:<YubiKey token ID4>:….

Now add `authfile=/etc/yubikey_mappings` to your PAM configuration line, so it
looks like:
Expand All @@ -307,21 +307,21 @@ directory and places the mapping in that file, the file must have only one
line:


<user name>:<Yubikey token ID1>:<Yubikey token ID2>
<user name>:<YubiKey token ID1>:<YubiKey token ID2>


This is much the same concept as the SSH authorized_keys file.


Obtaining the Yubikey token ID (a.k.a. public ID)
Obtaining the YubiKey token ID (a.k.a. public ID)
-------------------------------------------------

You can obtain the Yubikey token ID in several ways. One is by
You can obtain the YubiKey token ID in several ways. One is by
removing the last 32 characters of any OTP (One Time Password)
generated with your Yubikey. Another is by using the
generated with your YubiKey. Another is by using the
http://demo.yubico.com/php-yubico/Modhex_Calculator.php[modhex calculator].

Enter your Yubikey OTP and convert it, your Yubikey token ID is 12
Enter your YubiKey OTP and convert it, your YubiKey token ID is 12
characters and listed as:

Modhex encoded: XXXXXXX
Expand All @@ -348,7 +348,7 @@ information including the OTP and ID of your token to the shell -- copy the ID
into your config file and you should be up and going.

------
Yubikey for `youruser':
YubiKey for `youruser':
[pam_yubico.c:pam_sm_authenticate(867)] conv returned 44 bytes
[pam_yubico.c:pam_sm_authenticate(885)] Skipping first 0 bytes. Length is 44, token_id set to 12 and token OTP always 32.
[pam_yubico.c:pam_sm_authenticate(892)] OTP: ccccccclabcabkhbdncicglfltnukadfoifadfhhhhfe ID: cccccclabcab
Expand Down Expand Up @@ -382,7 +382,7 @@ See Michael Ludvig's sample Active Directory schema extensions for YubiKey publi

create file '/etc/pam.d/openvpn':

auth required pam_yubico.so ldap_uri=ldap://contoso.com debug id=[Your API ID] yubi_attr=yubiKeyId
auth required pam_yubico.so ldap_uri=ldap://contoso.com debug id=[Your API ID] yubi_attr=YubiKeyID
ldapdn=DC=contoso,DC=com
ldap_filter=(&(sAMAccountName=%u)(objectClass=user)(memberOf=CN=somegroup,DC=contoso,DC=com))
[ldap_bind_user=CN=binduser,OU=Service Accounts,DC=contoso,DC=com] ldap_bind_password=bind_password try_first_pass
Expand Down
2 changes: 1 addition & 1 deletion doc/Authentication_Using_Challenge-Response.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -188,5 +188,5 @@ and if there is no YubiKey in the machine it will look like this:
[pam_yubico.c:parse_cfg(743)] chalresp_path=(null)
[pam_yubico.c:pam_sm_authenticate(775)] get user returned: jas
[pam_yubico.c:do_challenge_response(478)] Failed initializing YubiKey
[pam_yubico.c:do_challenge_response(640)] Yubikey core error: no yubikey present
[pam_yubico.c:do_challenge_response(640)] YubiKey core error: no YubiKey present
----
8 changes: 4 additions & 4 deletions doc/Two_Factor_PAM_Configuration.adoc
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
PAM configuration is somewhat complex, but a typical use-case is to
require both a password and Yubikey to allow access. This can be
require both a password and YubiKey to allow access. This can be
achieved by a PAM configuration like this:

----
Expand All @@ -9,7 +9,7 @@ auth required pam_unix.so use_first_pass

The first line makes pam_yubico check the OTP. Use either a per-user
file called `~/.yubico/authorized_yubikeys`, or a system-wide file called
`/etc/yubikey_mappings` to specify which Yubikeys that can be used to log
`/etc/yubikey_mappings` to specify which YubiKeys that can be used to log
in as specific users. See https://developers.yubico.com/yubico-pam[the README]
for more information.

Expand All @@ -27,8 +27,8 @@ unless you want those. For example, Debian contains a
'@include common-auth' which would confuse the configuration.

To log in, you now need to enter both your Unix password and enter an
OTP using your Yubikey. When prompted for the password, enter the Unix
OTP using your YubiKey. When prompted for the password, enter the Unix
password first and then (without pressing enter) push the button on your
Yubikey.
YubiKey.

If it doesn't work, enable debugging (see https://developers.yubico.com/yubico-pam[the README]) and try again.
2 changes: 1 addition & 1 deletion doc/Ubuntu_FreeRadius_YubiKey.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -231,7 +231,7 @@ PAM debug log:
[pam_yubico.c:pam_sm_authenticate(452)] get user returned: alice
[pam_yubico.c:pam_sm_authenticate(542)] conv returned: ccccccccltncdjjifceergtnukivgiujhgehgnkrfcef
[pam_yubico.c:pam_sm_authenticate(558)] OTP: ccccccccltncdjjifceergtnukivgiujhgehgnkrfcef ID: ccccccccltnc
[pam_yubico.c:pam_sm_authenticate(583)] ykclient return value (2): Yubikey OTP was replayed (REPLAYED_OTP)
[pam_yubico.c:pam_sm_authenticate(583)] ykclient return value (2): YubiKey OTP was replayed (REPLAYED_OTP)
[pam_yubico.c:pam_sm_authenticate(625)] done. [Authentication failure]
------

Expand Down
File renamed without changes.
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
Starting with Fedora 17, SELinux prevents sshd to initiate connections to remote HTTP ports (80 and 443). In SELinux terms: sshd_t is not allowed to name_connect to http_port_t. This broke Yubikey authentication on a system with SELinux in enforcing mode, unless a custom SELinux policy was written and enabled.
Starting with Fedora 17, SELinux prevents sshd to initiate connections to remote HTTP ports (80 and 443). In SELinux terms: sshd_t is not allowed to name_connect to http_port_t. This broke YubiKey authentication on a system with SELinux in enforcing mode, unless a custom SELinux policy was written and enabled.

Based on a https://bugzilla.redhat.com/show_bug.cgi?id=841693[bugreport] in Red Hat Bugzilla, a boolean was added to the SELinux policy for Fedora 18 and up, that can be toggled to allow sshd (and some other SELinux types) to connect to remote HTTP ports.

To make a long story short, if you want to use a Yubikey on a system running Fedora 18 or higher (and probably RHEL7, eventually), you'll need to toggle the 'authlogin_yubikey' SELinux boolean, like so:
To make a long story short, if you want to use a YubiKey on a system running Fedora 18 or higher (and probably RHEL7, eventually), you'll need to toggle the 'authlogin_yubikey' SELinux boolean, like so:

setsebool -P authlogin_yubikey 1

Expand Down
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
== Introduction ==

The purpose of this document is to guide readers through the configuration
steps to use two factor authentication for SSH using Yubikey. This document
steps to use two factor authentication for SSH using YubiKey. This document
assumes that the reader has advanced knowledge and experience in Linux
system administration, particularly for how PAM authentication mechanism is
configured on a Linux platform.
Expand Down Expand Up @@ -33,7 +33,7 @@ https://developers.yubico.com/yubico-pam/releases.html[here].

The Yubico PAM module support two factor authentication for SSH.
The two factor authentication module verifies the user name and password
for the user and the One-Time Password (OTP) generated by Yubikey assigned
for the user and the One-Time Password (OTP) generated by YubiKey assigned
to the user.


Expand All @@ -53,24 +53,24 @@ done at administrative level or at individual user level.
==== Administrative Level ====

In Administrative level, system administrators hold right to configure the
user and yubikey token ID mapping. Administrators can achieve this by creating
user and YubiKey token ID mapping. Administrators can achieve this by creating
a new file that contains information about the username and the corresponding
IDs of Yubikey(s) assigned.
IDs of YubiKey(s) assigned.

This file contains user name that is allowed to connect to the system over SSH
and the token id of the Yubikey(s) assigned to that particular user. A user
can be assigned multiple Yubikeys and this multi key mapping is supported by
and the token id of the YubiKey(s) assigned to that particular user. A user
can be assigned multiple YubiKeys and this multi key mapping is supported by
this file. However, presently there is no logic coded to detect or prevent use
of same Yubikey ID for multiple users.
of same YubiKey ID for multiple users.

Each record in the file should begin on a new line. The parameters in each
record are separated by `:` character similar to `/etc/passwd`.

The contents of this file are as follows:

<user name>:<yubikey token ID>:<yubikey token ID>: ….
<user name>:<YubiKey token ID>:<YubiKey token ID>: ….

<user name>:<yubikey token ID>:<yubikey token ID>:…..
<user name>:<YubiKey token ID>:<YubiKey token ID>:…..

e.g.

Expand All @@ -96,7 +96,7 @@ using any ssh client, the PAM authentication interface will pass the control to
Yubico PAM module. The Yubico PAM module first checks the presence of authfile
argument in PAM configuration. If authfile argument is present, it parses the
corresponding mapping file and verifies the username with corresponding
Yubikey token id as configured in the mapping file. If valid, the Yubico PAM
YubiKey token id as configured in the mapping file. If valid, the Yubico PAM
module extracts the OTP string and sends it to the Yubico authentication server
or else it reports failure. If authfile argument is present but the mapping
file is not present at the provided path PAM module reports failure. After
Expand All @@ -106,18 +106,18 @@ authentication server, a success code is returned.

==== User Level ====

In User level, individual users have the ability to configure yubikey token
In User level, individual users have the ability to configure YubiKey token
ID assigned to them. Users can achieve this by creating a new file
`.yubico/authorized_yubikeys` inside their home directories that contains
information about the username and the corresponding IDs of Yubikey(s) assigned
to them. A user can be assigned multiple Yubikeys and the multi key mapping is
information about the username and the corresponding IDs of YubiKey(s) assigned
to them. A user can be assigned multiple YubiKeys and the multi key mapping is
supported by this file.

This file must contain only one record. The parameters in the record are
separated by `:` character similar to `/etc/passwd`. The contents of this file
are as shown below:

<user name>:<yubikey token ID>:<yubikey token ID>: ….
<user name>:<YubiKey token ID>:<YubiKey token ID>: ….

e.g.

Expand All @@ -138,7 +138,7 @@ Append the following line to the beginning of the `/etc/pam.d/sshd` file:
After the above configuration changes, whenever a user connects to the server
using any SSH client, the PAM authentication interface will pass the control
to Yubico PAM module. The Yubico PAM module first verifies the username with
corresponding Yubikey token id as configured in the `.yubico/authorized_yubikeys`
corresponding YubiKey token id as configured in the `.yubico/authorized_yubikeys`
file that present in the user's home directory who is trying to assess server
through SSH. If valid, the Yubico PAM module extracts the OTP string and sends
it to the Yubico authentication server or else it reports failure. After
Expand Down Expand Up @@ -229,15 +229,15 @@ Try to login to server with SSH client as configured user:

------
$ ssh -l test localhost
Password: (enter 'pencil' and touch the ldvglinuddek yubikey)
Password: (enter 'pencil' and touch the ldvglinuddek YubiKey)
------

------
$ ssh -l root localhost
Password: (enter 'secret' and touch the ldvglinuddek yubikey)
Password: (enter 'secret' and touch the ldvglinuddek YubiKey)
------

------
$ ssh -l root localhost
Password: (enter 'secret' and touch the indvnvlcbdre yubikey)
Password: (enter 'secret' and touch the indvnvlcbdre YubiKey)
------
4 changes: 2 additions & 2 deletions pam_yubico.8.txt
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ File name to write debug to, the file must exist and be a regular file. Defaults
Mode of operation, client for OTP validation and challenge-response for challenge-response validation. Defaults to client.

*authfile*=_file_::
Location of the file that holds the mappings of Yubikey token IDs to user names. The format is username:first_public_id:second_public_id:... Default location of the file is $HOME/.yubico/authorized_yubikeys.
Location of the file that holds the mappings of YubiKey token IDs to user names. The format is username:first_public_id:second_public_id:... Default location of the file is $HOME/.yubico/authorized_yubikeys.

*id*=_id_::
Your API client identity for the validation server.
Expand Down Expand Up @@ -78,7 +78,7 @@ The distinguished name (DN) where the users are stored (eg: ou=users,dc=domain,d
The LDAP attribute used to store user names (eg:cn).

*yubi_attr*=_attr_::
The LDAP attribute used to store the Yubikey ID.
The LDAP attribute used to store the YubiKey ID.

*yubi_attr_prefix*=_prefix_::
The prefix of the LDAP attribute's value, in case of a generic attribute, used to store several types of IDs.
Expand Down
10 changes: 5 additions & 5 deletions pam_yubico.c
Original file line number Diff line number Diff line change
Expand Up @@ -610,7 +610,7 @@ do_challenge_response(pam_handle_t *pamh, struct cfg *cfg, const char *username)
goto out;
}

errstr = "Error communicating with Yubikey, please check syslog or contact your system administrator";
errstr = "Error communicating with YubiKey, please check syslog or contact your system administrator";
if (! challenge_response(yk, state.slot, state.challenge, CR_CHALLENGE_SIZE,
true, true, false,
buf, sizeof(buf), &response_len)) {
Expand Down Expand Up @@ -676,7 +676,7 @@ do_challenge_response(pam_handle_t *pamh, struct cfg *cfg, const char *username)
goto restpriv_out;
}

errstr = "Error updating Yubikey challenge, please check syslog or contact your system administrator";
errstr = "Error updating YubiKey challenge, please check syslog or contact your system administrator";
if (! write_chalresp_state (f, &state))
goto out;
if (fclose(f) < 0) {
Expand Down Expand Up @@ -706,8 +706,8 @@ do_challenge_response(pam_handle_t *pamh, struct cfg *cfg, const char *username)
syslog(LOG_ERR, "USB error: %s", yk_usb_strerror());
DBG("USB error: %s", yk_usb_strerror());
} else {
syslog(LOG_ERR, "Yubikey core error: %s", yk_strerror(yk_errno));
DBG("Yubikey core error: %s", yk_strerror(yk_errno));
syslog(LOG_ERR, "YubiKey core error: %s", yk_strerror(yk_errno));
DBG("YubiKey core error: %s", yk_strerror(yk_errno));
}
}

Expand Down Expand Up @@ -1102,7 +1102,7 @@ pam_sm_authenticate (pam_handle_t * pamh,

password_len = strlen (password);

/* In case the input was systempassword+YubiKeyOTP, we want to skip over
/* In case the input was systempassword+OTP, we want to skip over
"systempassword" when copying the token_id and OTP to separate buffers */
if(password_len > cfg->token_id_length + TOKEN_OTP_LEN)
{
Expand Down
4 changes: 2 additions & 2 deletions ykpamcfg.c
Original file line number Diff line number Diff line change
Expand Up @@ -74,14 +74,14 @@ static void
report_yk_error(void)
{
if (ykp_errno)
fprintf(stderr, "Yubikey personalization error: %s\n",
fprintf(stderr, "YubiKey personalization error: %s\n",
ykp_strerror(ykp_errno));
if (yk_errno) {
if (yk_errno == YK_EUSBERR) {
fprintf(stderr, "USB error: %s\n",
yk_usb_strerror());
} else {
fprintf(stderr, "Yubikey core error: %s\n",
fprintf(stderr, "YubiKey core error: %s\n",
yk_strerror(yk_errno));
}
}
Expand Down

0 comments on commit fa3833b

Please sign in to comment.