ykpamcfg(1) - Linux man page
Name
ykpamcfg - Manage user settings for the Yubico PAM module.
Synopsis
ykpamcfg [-1 | -2] [-A] [-v] [-h]
Options
- -1
use slot 1. This is the default.
-2
use slot 2.
- -A action
- choose action to perform. See ACTIONS below.
- -v
enable verbose mode.
Actions
add_hmac_chalresp
- The PAM module can utilize the HMAC-SHA1 Challenge-Response mode found in YubiKeys starting with version 2.2 for offline authentication. This action
creates the initial state information with the C/R to be issued at the next logon.
The utility currently outputs the state information to a file in the current user's home directory (~/.yubico/challenge-123456 for a YubiKey with serial number API readout enabled, and ~/.yubico/challenge for one without).
The PAM module supports a system wide directory for these state files (in case the user's home directories are encrypted), but in a system wide directory, the 'challenge' part should be replaced with the username. Example : /var/yubico/challenges/alice-123456.
To use the system-wide mode, you currently have to move the generated state files manually and configure the PAM module accordingly.
Example
First, program a YubiKey for challenge response on Slot 2 :
- $ ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible
...
Commit? (y/n) [n]: y
$ - Now, set the current user to require this YubiKey for logon :
- $ ykpamcfg -2 -v
...
Stored initial challenge and expected response in '/home/alice/.yubico/challenge-123456'.
$ - Then, configure authentication with PAM for example like this (make a backup first) :
- /etc/pam.d/common-auth (from Ubuntu 10.10) :
- auth
required
pam_unix.so nullok_secure try_first_pass
auth
[success=1 new_authtok_reqd=ok ignore=ignore default=die]
pam_yubico.so mode=challenge-response
auth
requisite
pam_deny.so
auth
required
pam_permit.so
auth
optional
pam_ecryptfs.so unwrap
Bugs
Report ykpamcfg bugs in the issue tracker
See Also
The yubico-pam home page
YubiKeys can be obtained from Yubico.