diff --git a/Makefile.am b/Makefile.am index d70e2a77..7e11e749 100644 --- a/Makefile.am +++ b/Makefile.am @@ -66,7 +66,7 @@ dist_man8_MANS = pam_yubico.8 DISTCLEANFILES = $(dist_man1_MANS) $(dist_man8_MANS) MANSOURCES = pam_yubico.8.txt ykpamcfg.1.txt -EXTRA_DIST = doc/Authentication_Using_Challenge-Response.adoc doc/MacOS_X_Challenge-Response.adoc doc/Two_Factor_PAM_Configuration.adoc doc/Ubuntu_FreeRadius_YubiKey.adoc doc/YubiKey_and_FreeRADIUS_1FA_via_PAM.adoc doc/YubiKey_and_FreeRADIUS_via_PAM.adoc doc/YubiKey_and_OpenVPN_via_PAM.adoc doc/Yubikey_and_Radius_via_PAM.adoc doc/Yubikey_and_SELinux_on_Fedora_18_and_up.adoc doc/Yubikey_and_SSH_via_PAM.adoc +EXTRA_DIST = doc/Authentication_Using_Challenge-Response.adoc doc/MacOS_X_Challenge-Response.adoc doc/Two_Factor_PAM_Configuration.adoc doc/Ubuntu_FreeRadius_YubiKey.adoc doc/YubiKey_and_FreeRADIUS_1FA_via_PAM.adoc doc/YubiKey_and_FreeRADIUS_via_PAM.adoc doc/YubiKey_and_OpenVPN_via_PAM.adoc doc/YubiKey_and_Radius_via_PAM.adoc doc/YubiKey_and_SELinux_on_Fedora_18_and_up.adoc doc/YubiKey_and_SSH_via_PAM.adoc EXTRA_DIST += $(MANSOURCES) EXTRA_DIST += tests/aux/ykval.pl tests/aux/ldap.pl tests/aux/authfile diff --git a/NEWS b/NEWS index 8d7e19eb..0af2e84e 100644 --- a/NEWS +++ b/NEWS @@ -268,7 +268,7 @@ forum.yubico.com. They work similar to other PAM modules, see README for more documentation. -Upgrade notice: If you are relying on getting the Yubikey OTP from an +Upgrade notice: If you are relying on getting the YubiKey OTP from an earlier PAM module, and no prompting by the pam_yubico module, you need to add "try_first_pass" to preserve the same behaviour. diff --git a/README b/README index bfb4a424..6b91c647 100644 --- a/README +++ b/README @@ -1,7 +1,7 @@ == Yubico PAM module image:https://travis-ci.org/Yubico/yubico-pam.svg?branch=master["Build Status", link="https://travis-ci.org/Yubico/yubico-pam"] -The Yubico PAM module provides an easy way to integrate the Yubikey +The Yubico PAM module provides an easy way to integrate the YubiKey into your existing user authentication infrastructure. PAM is used by GNU/Linux, Solaris and Mac OS X for user authentication, and by other specialized applications such as NCSA MyProxy. @@ -136,7 +136,7 @@ Supported PAM module parameters are: [horizontal] authfile:: To indicate the location of the file that holds the -mappings of Yubikey token IDs to user names. +mappings of YubiKey token IDs to user names. id:: Your API Client ID in the Yubico validation server. @@ -239,7 +239,7 @@ CA certifcate file for the LDAP connection. user_attr:: specify the LDAP attribute used to store user names (eg:cn). -yubi_attr:: specify the LDAP attribute used to store the Yubikey ID. +yubi_attr:: specify the LDAP attribute used to store the YubiKey ID. yubi_attr_prefix:: specify the prefix of the LDAP attribute's value, in case @@ -287,13 +287,13 @@ be used. === Central authorization mapping Create a `/etc/yubikey_mappings`, the file must contain a user name and the -Yubikey token ID separated by colons (same format as the passwd file) for -each user you want to allow onto the system using a Yubikey. +YubiKey token ID separated by colons (same format as the passwd file) for +each user you want to allow onto the system using a YubiKey. The mappings should look like this, one per line: - :::…. - :::…. + :::…. + :::…. Now add `authfile=/etc/yubikey_mappings` to your PAM configuration line, so it looks like: @@ -307,21 +307,21 @@ directory and places the mapping in that file, the file must have only one line: - :: + :: This is much the same concept as the SSH authorized_keys file. -Obtaining the Yubikey token ID (a.k.a. public ID) +Obtaining the YubiKey token ID (a.k.a. public ID) ------------------------------------------------- -You can obtain the Yubikey token ID in several ways. One is by +You can obtain the YubiKey token ID in several ways. One is by removing the last 32 characters of any OTP (One Time Password) -generated with your Yubikey. Another is by using the +generated with your YubiKey. Another is by using the http://demo.yubico.com/php-yubico/Modhex_Calculator.php[modhex calculator]. -Enter your Yubikey OTP and convert it, your Yubikey token ID is 12 +Enter your YubiKey OTP and convert it, your YubiKey token ID is 12 characters and listed as: Modhex encoded: XXXXXXX @@ -348,7 +348,7 @@ information including the OTP and ID of your token to the shell -- copy the ID into your config file and you should be up and going. ------ -Yubikey for `youruser': +YubiKey for `youruser': [pam_yubico.c:pam_sm_authenticate(867)] conv returned 44 bytes [pam_yubico.c:pam_sm_authenticate(885)] Skipping first 0 bytes. Length is 44, token_id set to 12 and token OTP always 32. [pam_yubico.c:pam_sm_authenticate(892)] OTP: ccccccclabcabkhbdncicglfltnukadfoifadfhhhhfe ID: cccccclabcab @@ -382,7 +382,7 @@ See Michael Ludvig's sample Active Directory schema extensions for YubiKey publi create file '/etc/pam.d/openvpn': - auth required pam_yubico.so ldap_uri=ldap://contoso.com debug id=[Your API ID] yubi_attr=yubiKeyId + auth required pam_yubico.so ldap_uri=ldap://contoso.com debug id=[Your API ID] yubi_attr=YubiKeyID ldapdn=DC=contoso,DC=com ldap_filter=(&(sAMAccountName=%u)(objectClass=user)(memberOf=CN=somegroup,DC=contoso,DC=com)) [ldap_bind_user=CN=binduser,OU=Service Accounts,DC=contoso,DC=com] ldap_bind_password=bind_password try_first_pass diff --git a/doc/Authentication_Using_Challenge-Response.adoc b/doc/Authentication_Using_Challenge-Response.adoc index 24920769..487de5f2 100644 --- a/doc/Authentication_Using_Challenge-Response.adoc +++ b/doc/Authentication_Using_Challenge-Response.adoc @@ -188,5 +188,5 @@ and if there is no YubiKey in the machine it will look like this: [pam_yubico.c:parse_cfg(743)] chalresp_path=(null) [pam_yubico.c:pam_sm_authenticate(775)] get user returned: jas [pam_yubico.c:do_challenge_response(478)] Failed initializing YubiKey -[pam_yubico.c:do_challenge_response(640)] Yubikey core error: no yubikey present +[pam_yubico.c:do_challenge_response(640)] YubiKey core error: no YubiKey present ---- diff --git a/doc/Two_Factor_PAM_Configuration.adoc b/doc/Two_Factor_PAM_Configuration.adoc index 018b00e4..c0a14cf2 100644 --- a/doc/Two_Factor_PAM_Configuration.adoc +++ b/doc/Two_Factor_PAM_Configuration.adoc @@ -1,5 +1,5 @@ PAM configuration is somewhat complex, but a typical use-case is to -require both a password and Yubikey to allow access. This can be +require both a password and YubiKey to allow access. This can be achieved by a PAM configuration like this: ---- @@ -9,7 +9,7 @@ auth required pam_unix.so use_first_pass The first line makes pam_yubico check the OTP. Use either a per-user file called `~/.yubico/authorized_yubikeys`, or a system-wide file called -`/etc/yubikey_mappings` to specify which Yubikeys that can be used to log +`/etc/yubikey_mappings` to specify which YubiKeys that can be used to log in as specific users. See https://developers.yubico.com/yubico-pam[the README] for more information. @@ -27,8 +27,8 @@ unless you want those. For example, Debian contains a '@include common-auth' which would confuse the configuration. To log in, you now need to enter both your Unix password and enter an -OTP using your Yubikey. When prompted for the password, enter the Unix +OTP using your YubiKey. When prompted for the password, enter the Unix password first and then (without pressing enter) push the button on your -Yubikey. +YubiKey. If it doesn't work, enable debugging (see https://developers.yubico.com/yubico-pam[the README]) and try again. diff --git a/doc/Ubuntu_FreeRadius_YubiKey.adoc b/doc/Ubuntu_FreeRadius_YubiKey.adoc index ed806338..419eb043 100644 --- a/doc/Ubuntu_FreeRadius_YubiKey.adoc +++ b/doc/Ubuntu_FreeRadius_YubiKey.adoc @@ -231,7 +231,7 @@ PAM debug log: [pam_yubico.c:pam_sm_authenticate(452)] get user returned: alice [pam_yubico.c:pam_sm_authenticate(542)] conv returned: ccccccccltncdjjifceergtnukivgiujhgehgnkrfcef [pam_yubico.c:pam_sm_authenticate(558)] OTP: ccccccccltncdjjifceergtnukivgiujhgehgnkrfcef ID: ccccccccltnc -[pam_yubico.c:pam_sm_authenticate(583)] ykclient return value (2): Yubikey OTP was replayed (REPLAYED_OTP) +[pam_yubico.c:pam_sm_authenticate(583)] ykclient return value (2): YubiKey OTP was replayed (REPLAYED_OTP) [pam_yubico.c:pam_sm_authenticate(625)] done. [Authentication failure] ------ diff --git a/doc/Yubikey_and_Radius_via_PAM.adoc b/doc/YubiKey_and_Radius_via_PAM.adoc similarity index 100% rename from doc/Yubikey_and_Radius_via_PAM.adoc rename to doc/YubiKey_and_Radius_via_PAM.adoc diff --git a/doc/Yubikey_and_SELinux_on_Fedora_18_and_up.adoc b/doc/YubiKey_and_SELinux_on_Fedora_18_and_up.adoc similarity index 87% rename from doc/Yubikey_and_SELinux_on_Fedora_18_and_up.adoc rename to doc/YubiKey_and_SELinux_on_Fedora_18_and_up.adoc index ff3be7f1..aa2a7e05 100644 --- a/doc/Yubikey_and_SELinux_on_Fedora_18_and_up.adoc +++ b/doc/YubiKey_and_SELinux_on_Fedora_18_and_up.adoc @@ -1,8 +1,8 @@ -Starting with Fedora 17, SELinux prevents sshd to initiate connections to remote HTTP ports (80 and 443). In SELinux terms: sshd_t is not allowed to name_connect to http_port_t. This broke Yubikey authentication on a system with SELinux in enforcing mode, unless a custom SELinux policy was written and enabled. +Starting with Fedora 17, SELinux prevents sshd to initiate connections to remote HTTP ports (80 and 443). In SELinux terms: sshd_t is not allowed to name_connect to http_port_t. This broke YubiKey authentication on a system with SELinux in enforcing mode, unless a custom SELinux policy was written and enabled. Based on a https://bugzilla.redhat.com/show_bug.cgi?id=841693[bugreport] in Red Hat Bugzilla, a boolean was added to the SELinux policy for Fedora 18 and up, that can be toggled to allow sshd (and some other SELinux types) to connect to remote HTTP ports. -To make a long story short, if you want to use a Yubikey on a system running Fedora 18 or higher (and probably RHEL7, eventually), you'll need to toggle the 'authlogin_yubikey' SELinux boolean, like so: +To make a long story short, if you want to use a YubiKey on a system running Fedora 18 or higher (and probably RHEL7, eventually), you'll need to toggle the 'authlogin_yubikey' SELinux boolean, like so: setsebool -P authlogin_yubikey 1 diff --git a/doc/Yubikey_and_SSH_via_PAM.adoc b/doc/YubiKey_and_SSH_via_PAM.adoc similarity index 87% rename from doc/Yubikey_and_SSH_via_PAM.adoc rename to doc/YubiKey_and_SSH_via_PAM.adoc index 817751c7..dc49a824 100644 --- a/doc/Yubikey_and_SSH_via_PAM.adoc +++ b/doc/YubiKey_and_SSH_via_PAM.adoc @@ -1,7 +1,7 @@ == Introduction == The purpose of this document is to guide readers through the configuration -steps to use two factor authentication for SSH using Yubikey. This document +steps to use two factor authentication for SSH using YubiKey. This document assumes that the reader has advanced knowledge and experience in Linux system administration, particularly for how PAM authentication mechanism is configured on a Linux platform. @@ -33,7 +33,7 @@ https://developers.yubico.com/yubico-pam/releases.html[here]. The Yubico PAM module support two factor authentication for SSH. The two factor authentication module verifies the user name and password -for the user and the One-Time Password (OTP) generated by Yubikey assigned +for the user and the One-Time Password (OTP) generated by YubiKey assigned to the user. @@ -53,24 +53,24 @@ done at administrative level or at individual user level. ==== Administrative Level ==== In Administrative level, system administrators hold right to configure the -user and yubikey token ID mapping. Administrators can achieve this by creating +user and YubiKey token ID mapping. Administrators can achieve this by creating a new file that contains information about the username and the corresponding -IDs of Yubikey(s) assigned. +IDs of YubiKey(s) assigned. This file contains user name that is allowed to connect to the system over SSH -and the token id of the Yubikey(s) assigned to that particular user. A user -can be assigned multiple Yubikeys and this multi key mapping is supported by +and the token id of the YubiKey(s) assigned to that particular user. A user +can be assigned multiple YubiKeys and this multi key mapping is supported by this file. However, presently there is no logic coded to detect or prevent use -of same Yubikey ID for multiple users. +of same YubiKey ID for multiple users. Each record in the file should begin on a new line. The parameters in each record are separated by `:` character similar to `/etc/passwd`. The contents of this file are as follows: - ::: …. + ::: …. - :::….. + :::….. e.g. @@ -96,7 +96,7 @@ using any ssh client, the PAM authentication interface will pass the control to Yubico PAM module. The Yubico PAM module first checks the presence of authfile argument in PAM configuration. If authfile argument is present, it parses the corresponding mapping file and verifies the username with corresponding -Yubikey token id as configured in the mapping file. If valid, the Yubico PAM +YubiKey token id as configured in the mapping file. If valid, the Yubico PAM module extracts the OTP string and sends it to the Yubico authentication server or else it reports failure. If authfile argument is present but the mapping file is not present at the provided path PAM module reports failure. After @@ -106,18 +106,18 @@ authentication server, a success code is returned. ==== User Level ==== -In User level, individual users have the ability to configure yubikey token +In User level, individual users have the ability to configure YubiKey token ID assigned to them. Users can achieve this by creating a new file `.yubico/authorized_yubikeys` inside their home directories that contains -information about the username and the corresponding IDs of Yubikey(s) assigned -to them. A user can be assigned multiple Yubikeys and the multi key mapping is +information about the username and the corresponding IDs of YubiKey(s) assigned +to them. A user can be assigned multiple YubiKeys and the multi key mapping is supported by this file. This file must contain only one record. The parameters in the record are separated by `:` character similar to `/etc/passwd`. The contents of this file are as shown below: - ::: …. + ::: …. e.g. @@ -138,7 +138,7 @@ Append the following line to the beginning of the `/etc/pam.d/sshd` file: After the above configuration changes, whenever a user connects to the server using any SSH client, the PAM authentication interface will pass the control to Yubico PAM module. The Yubico PAM module first verifies the username with -corresponding Yubikey token id as configured in the `.yubico/authorized_yubikeys` +corresponding YubiKey token id as configured in the `.yubico/authorized_yubikeys` file that present in the user's home directory who is trying to assess server through SSH. If valid, the Yubico PAM module extracts the OTP string and sends it to the Yubico authentication server or else it reports failure. After @@ -229,15 +229,15 @@ Try to login to server with SSH client as configured user: ------ $ ssh -l test localhost -Password: (enter 'pencil' and touch the ldvglinuddek yubikey) +Password: (enter 'pencil' and touch the ldvglinuddek YubiKey) ------ ------ $ ssh -l root localhost -Password: (enter 'secret' and touch the ldvglinuddek yubikey) +Password: (enter 'secret' and touch the ldvglinuddek YubiKey) ------ ------ $ ssh -l root localhost -Password: (enter 'secret' and touch the indvnvlcbdre yubikey) +Password: (enter 'secret' and touch the indvnvlcbdre YubiKey) ------ diff --git a/pam_yubico.8.txt b/pam_yubico.8.txt index b869c2ba..62950da0 100644 --- a/pam_yubico.8.txt +++ b/pam_yubico.8.txt @@ -24,7 +24,7 @@ File name to write debug to, the file must exist and be a regular file. Defaults Mode of operation, client for OTP validation and challenge-response for challenge-response validation. Defaults to client. *authfile*=_file_:: -Location of the file that holds the mappings of Yubikey token IDs to user names. The format is username:first_public_id:second_public_id:... Default location of the file is $HOME/.yubico/authorized_yubikeys. +Location of the file that holds the mappings of YubiKey token IDs to user names. The format is username:first_public_id:second_public_id:... Default location of the file is $HOME/.yubico/authorized_yubikeys. *id*=_id_:: Your API client identity for the validation server. @@ -78,7 +78,7 @@ The distinguished name (DN) where the users are stored (eg: ou=users,dc=domain,d The LDAP attribute used to store user names (eg:cn). *yubi_attr*=_attr_:: -The LDAP attribute used to store the Yubikey ID. +The LDAP attribute used to store the YubiKey ID. *yubi_attr_prefix*=_prefix_:: The prefix of the LDAP attribute's value, in case of a generic attribute, used to store several types of IDs. diff --git a/pam_yubico.c b/pam_yubico.c index d157b351..21625604 100644 --- a/pam_yubico.c +++ b/pam_yubico.c @@ -610,7 +610,7 @@ do_challenge_response(pam_handle_t *pamh, struct cfg *cfg, const char *username) goto out; } - errstr = "Error communicating with Yubikey, please check syslog or contact your system administrator"; + errstr = "Error communicating with YubiKey, please check syslog or contact your system administrator"; if (! challenge_response(yk, state.slot, state.challenge, CR_CHALLENGE_SIZE, true, true, false, buf, sizeof(buf), &response_len)) { @@ -676,7 +676,7 @@ do_challenge_response(pam_handle_t *pamh, struct cfg *cfg, const char *username) goto restpriv_out; } - errstr = "Error updating Yubikey challenge, please check syslog or contact your system administrator"; + errstr = "Error updating YubiKey challenge, please check syslog or contact your system administrator"; if (! write_chalresp_state (f, &state)) goto out; if (fclose(f) < 0) { @@ -706,8 +706,8 @@ do_challenge_response(pam_handle_t *pamh, struct cfg *cfg, const char *username) syslog(LOG_ERR, "USB error: %s", yk_usb_strerror()); DBG("USB error: %s", yk_usb_strerror()); } else { - syslog(LOG_ERR, "Yubikey core error: %s", yk_strerror(yk_errno)); - DBG("Yubikey core error: %s", yk_strerror(yk_errno)); + syslog(LOG_ERR, "YubiKey core error: %s", yk_strerror(yk_errno)); + DBG("YubiKey core error: %s", yk_strerror(yk_errno)); } } @@ -1102,7 +1102,7 @@ pam_sm_authenticate (pam_handle_t * pamh, password_len = strlen (password); - /* In case the input was systempassword+YubiKeyOTP, we want to skip over + /* In case the input was systempassword+OTP, we want to skip over "systempassword" when copying the token_id and OTP to separate buffers */ if(password_len > cfg->token_id_length + TOKEN_OTP_LEN) { diff --git a/ykpamcfg.c b/ykpamcfg.c index 7f84a323..d2ad7b5c 100644 --- a/ykpamcfg.c +++ b/ykpamcfg.c @@ -74,14 +74,14 @@ static void report_yk_error(void) { if (ykp_errno) - fprintf(stderr, "Yubikey personalization error: %s\n", + fprintf(stderr, "YubiKey personalization error: %s\n", ykp_strerror(ykp_errno)); if (yk_errno) { if (yk_errno == YK_EUSBERR) { fprintf(stderr, "USB error: %s\n", yk_usb_strerror()); } else { - fprintf(stderr, "Yubikey core error: %s\n", + fprintf(stderr, "YubiKey core error: %s\n", yk_strerror(yk_errno)); } }