PAM module and configuration utility to perform user authentication (1FA or 2FA) using a Vivokey or Yubikey OTP applet
License
Giraut/vivokey-pam
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
Vivokey PAM
-----------
v0.5.0
PAM module and configuration utility to perform user authentication (1FA or 2FA)
using a Vivokey or Yubikey OTP applet.
Installation
------------
Install the file as root:
install -m 755 vivokey_pam.py /usr/bin/
Optionally, you can also install this PAM module and configuration utility
from a pre-build Debian package:
sudo apt install vivokey-pam
Create an empty /etc/users.vivokey file owned by root, readable and writeable
only by root:
sudo touch /etc/users.vivokey
sudo chown root.root /etc/users.vivokey
sudo chmod 600 /etc/users.vivokey
This is very important because this file will contain all the users' OATH
passwords and secrets, so it should not be readable by unauthorized users.
It is also very important that this file be present and readable by root
*BEFORE* enabling the Vivokey PAM module, especially if it's configured for
2FA, as it will deny authentication to everyone and prevent everyone from
logging in if it can't read that file in that case.
PAM configuration
-----------------
PAM configurations and configuration methods vary from one Linux
distribution to the next. The examples below are just guidelines.
If your system uses libpam-runtime (i.e. you have a pam-auth-update utility
and config files /usr/share/pam-configs), you can configure Vivokey OTP
authentication as an alternative login method to the traditional Unix
password by adding a /usr/share/pam-config/vivokey-pam.config file
with the following content:
---8<---8<---8<---
Name: Vivokey OTP authentication (1FA: password or Vivokey)
Default: no
Priority: 128
Auth-Type: Primary
Auth:
[success=end default=ignore] pam_exec.so quiet /usr/bin/vivokey_pam.py
Auth-Initial:
[success=end default=ignore] pam_exec.so quiet /usr/bin/vivokey_pam.py
---8<---8<---8<---
then running pam-auth-update and enabling Vivokey authentication.
Then for subsequent logins, you can either type your regular password or
present your Vivokey or Yubikey NFC transponder to the reader
(within 2 seconds).
Or, for example, if your system's PAM stack must be configured manually
and you want to use Vivokey authentication as a second factor, you could
define the following PAM sequence in /etc/pam.d/common-auth (your exact
configuration files and sequences may vary depending on your
particular system):
---8<---8<---8<---
auth [success=1 default=ignore] pam_unix.so nullok
auth requisite pam_deny.so
auth [success=1 default=ignore] pam_exec.so quiet /usr/bin/vivokey_pam.py -au
auth requisite pam_deny.so
auth required pam_permit.so
---8<---8<---8<---
In this sequence, if the wrong Unix password is entered, the login fails on
the first pam_deny.so.
If the correct Unix password is entered, the first pam_deny.so is skipped,
then the vivokey_pam.py module waits for a successful read for 2 seconds.
If the Vivokey OTP authentication succeeds, the second pam_deny.so is skipped
and the login succeeds. If not, the login fails on the second pam_deny.so.
In this case, note the use of the -au flag: this tells vivokey_pam.py to let
users not listed in the /etc/users.vivokey "through" - instead of denying
them authentication by default. Without -au, users who don't have a Vivokey
OTP setup could not log in anymore. If it should be desirable that all the
users use a Vivokey or Yubikey NFC device to login, all of them should be
enrolled in /etc/users.vivokey and the -au should then be dropped.
If the wait is not long enough to present the Vivokey or Yubikey NFC device
to the reader, use -w <wait> or wait=<wait> as argument to vivokey_py to
orverride the default 2-second wait.
If the reader isn't recognized, use -r <name> or reader=<name> to specifiy
the name matching the reader.
When using vivokey_pam.py as a standalone utility, you may use -u <user>
or user=<user> to specify another user. By default, the current username
is used.
OATH account setup
------------------
Using vivokey_setup_account.py as root, for a given user, you can:
1/ Generate the QR code they need to create the account in the
Vivokey Authenticator or Yubikey Authenticator app. See:
https://play.google.com/store/apps/details?id=com.vivokey.vivoauth
2/ Save the account name, OATH password and OATH secret for this user in the
Vivokey PAM configuration file at /etc/users.vivokey. Those details are
used by the Vivokey PAM module to query the cryptographic hash for the
correct OATH account in the Vivokey or Yubikey NFC device and verify it
against the hash calculated locally using the stored secret
The QR code may be saved into a PNG image file using -o <file>. This image
may then be mailed to the user.
However, by default, the QR code is rendered directly on the terminal using
ASCII art. For example:
█████████████████████████████████████████
█████████████████████████████████████████
████ ▄▄▄▄▄ █▄█ █ █ █ ▀██▄▄▀█ ▄▄▄▄▄ ████
████ █ █ █▀ ▄▀ █▄█ ▄▄█ ▀ ▄█ █ █ ████
████ █▄▄▄█ █ █ ▄▀▀▀▄██▄▀█▄▀▀█ █▄▄▄█ ████
████▄▄▄▄▄▄▄█ ▀ ▀▄█ █▄▀ ▀ ▀ █ █▄▄▄▄▄▄▄████
████▄▀█▀▄█▄ ▄ ▀▄▄▄▀▄▀ ▀██ █ █▄▄▄▄ ▀▀ ████
████▀█▀▄▀▀▄ ▄█ ▄ ▄▄▀█▄▀ █▀▄ ▄ ▄▄█ █████
█████ ▀▀█ ▄ ▄▄ ▄▄▀█▄█▀▀▀▀▄▄ ▀ ▀█▄███████
████▀ ▄ ▀█▄ █ ▀▀ ▀▀▀█▄▀█▄██ ▄▀█▄ ▀████
████▄ ▀ ▄▀ ▀█▀▄█▀▄█▄▀█▄▀▄ ▄▀▄█ ▀▀████
██████▄█ █▄█▄█▀▄▀ █ █ ▀█ ▄ ▀▀▀▄ ▄█▄█████
████▀ █ ▀▀▄█▀ ▄█▀▄▄▀█▄ ▄▀▀▀▀█ ▄▄██ █████
██████▀█▀▄▄▀█ ▄▄ ██▄▀█ ▀▀▀ ███ ▀████
████▄▄█▄▄▄▄█ ▄█ █▄ ▄ ▀█▄ ▄▀ ▄▄▄ █ ▀████
████ ▄▄▄▄▄ █▄▀ ▄▄ ▄ ▄█▄▀▀█▀█ █▄█ ██ █████
████ █ █ █▄█▄ ▄▄▀█▄█▀▀▀▀▄▀▄ ▀ ▄████
████ █▄▄▄█ ██▄█▀█▀█ ▀ █▄▀█▀▄█ █ ████████
████▄▄▄▄▄▄▄█▄▄██▄▄▄█▄▄█▄▄▄▄▄▄▄▄▄██▄█▄████
█████████████████████████████████████████
This is convenient if the user is around while doing the setup - particularly
since they'll have to type in their OATH password if they have one set up in
their Vivokey or Yubikey NFC device.
But more importantly, it avoids saving the secret to a file and mailing it,
and having to ask the user to carefully delete the image file and email
after they're done setting up the account in the Vivokey Authenticator or
Yubikey Authenticator app.
By default, the account name is <username>@<hostname>. However, this may be
overridden and set to anything using -a <name>. Care should be taken that
the account name be unique in the Vivokey or Yubikey NFC device, as the PAM
module relies on it to be uniquely distinguishable from all other OATH
accounts stored on the device.
Use with cryptsetup
-------------------
When used as a standalone utility with the "gethash" command, vivokey_pam.py
may also be used with cryptsetup to access encrypted volumes with a
Vivokey or Yubikey NFC OTP token.
See README.cryptsetup for details.
---------------------------------------------------------
Bug reports? Questions? You can email me.
Run this command to get my email address:
C=base64\ -d;$C<<<Y205emEybHpRSEoxYm1KdmVDNWpiMjBLCg==|$C
---------------------------------------------------------
About
PAM module and configuration utility to perform user authentication (1FA or 2FA) using a Vivokey or Yubikey OTP applet
Resources
License
Stars
Watchers
Forks
Releases
No releases published
Packages 0
No packages published