Login or Register to Ask a Question and Join Our Community

Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

ykpamcfg(1) [debian man page]

ykpamcfg(1)						      General Commands Manual						       ykpamcfg(1)

NAME

       ykpamcfg - Manage user settings for the Yubico PAM module.

SYNOPSIS

       ykpamcfg [-1 | -2] [-A] [-v] [-h]

OPTIONS

       -1     use slot 1.  This is the default.

       -2     use slot 2.

       -A action
	      choose action to perform. See ACTIONS below.

       -v     enable verbose mode.

ACTIONS

       add_hmac_chalresp
	      The PAM module can utilize the HMAC-SHA1 Challenge-Response mode found in YubiKeys starting with version 2.2 for offline authentica-
	      tion.  This action creates the initial state information with the C/R to be issued at the next logon.

	      The utility currently outputs the state information to a file in the current user's home directory (~/.yubico/challenge-123456 for a
	      YubiKey with serial number API readout enabled, and ~/.yubico/challenge for one without).

	      The  PAM module supports a system wide directory for these state files (in case the user's home directories are encrypted), but in a
	      system wide directory, the 'challenge' part should be replaced with the username. Example : /var/yubico/challenges/alice-123456.

	      To use the system-wide mode, you currently have to move the generated state files manually and configure the PAM module accordingly.

EXAMPLE

       First, program a YubiKey for challenge response on Slot 2 :

	      $ ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible
	       ...
	      Commit? (y/n) [n]: y
	      $

       Now, set the current user to require this YubiKey for logon :

	      $ ykpamcfg -2 -v
	       ...
	      Stored initial challenge and expected response in '/home/alice/.yubico/challenge-123456'.
	      $

       Then, configure authentication with PAM for example like this (make a backup first) :

       /etc/pam.d/common-auth (from Ubuntu 10.10) :

	      auth required  pam_unix.so nullok_secure try_first_pass
	      auth [success=1 new_authtok_reqd=ok ignore=ignore default=die]   pam_yubico.so mode=challenge-response
	      auth requisite pam_deny.so
	      auth required  pam_permit.so
	      auth optional  pam_ecryptfs.so unwrap

BUGS

       Report ykpamcfg bugs in the issue tracker <http://code.google.com/p/yubico-pam/issues/list>

SEE ALSO

       The yubico-pam home page <http://code.google.com/p/yubico-pam/>

       YubiKeys can be obtained from Yubico <http://www.yubico.com/>.

yubico-pam							    March 2011							       ykpamcfg(1)

Check Out this Related Man Page

SYSTEM-AUTH-AC(5)						File Formats Manual						 SYSTEM-AUTH-AC(5)

NAME

       system-auth-ac,	password-auth-ac,  smartcard-auth-ac, fingerprint-auth-ac, postlogin-ac - Common configuration files for PAMified services
       written by authconfig(8)

SYNOPSIS

       /etc/pam.d/system-auth-ac

DESCRIPTION

       The purpose of this configuration file is to provide common configuration file  for  all  applications  and  service  daemons  calling  PAM
       library.

       The system-auth configuration file is included from all individual service configuration files with the help of the include directive. When
       authconfig(8) writes the system PAM configuration file it replaces the default system-auth file with a symlink pointing	to  system-auth-ac
       and writes the configuration to this file. The symlink is not changed on subsequent configuration changes even if it points elsewhere. This
       allows system administrators to override the configuration written by authconfig.

       The  authconfig	now  writes  the  authentication  modules  also  into  additional  PAM	configuration  files  /etc/pam.d/password-auth-ac,
       /etc/pam.d/smartcard-auth-ac, and /etc/pam.d/fingerprint-auth-ac.  These configuration files contain only modules which perform authentica-
       tion with the respective kinds of authentication tokens.  For example /etc/pam.d/smartcard-auth[-ac] will not contain pam_unix and pam_ldap
       modules and /etc/pam.d/password-auth[-ac] will not contain pam_pkcs11 and pam_fprintd modules.

       The  file  /etc/pam.d/postlogin-ac  contains  common services to be invoked after login. An example can be a module that encrypts an user's
       filesystem or user's keyring and is decrypted by his password.

       The PAM configuration files of services which are accessed by remote connections such as sshd or ftpd now include the  /etc/pam.d/password-
       auth configuration file instead of /etc/pam.d/system-auth.

EXAMPLE

       Configure  system  to  use  pam_tally2  for  configuration  of maximum number of failed logins. Also call pam_access to verify if access is
       allowed.

       Make system-auth symlink point to system-auth-local which contains:

       auth	       requisite       pam_access.so
       auth	       requisite       pam_tally2.so deny=3 lock_time=30 
					     unlock_time=3600
       auth	       include	       system-auth-ac
       account	       required        pam_tally2.so
       account	       include	       system-auth-ac
       password        include	       system-auth-ac
       session	       include	       system-auth-ac

BUGS

       None known.

SEE ALSO

       authconfig(8), authconfig-gtk(8), pam(8), system-auth(5)

Red Hat, Inc.							   2010 March 31						 SYSTEM-AUTH-AC(5)
Man Page