Skip to content
Switch branches/tags

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time

 PAM Externalpass

   By Thomas Habets <>

This code is for the authenticator client. E.g. a server that is to be
logged into. Tested to work with FreeBSD, Linux and Solaris.

Clone git repo:
  git clone git://

Github page:

For the PAM module:
* libpam development libraries (in Debian: aptitude install libpam-dev)
* Working C compiler etc...

For the Yubikey authenticator script (
* python
* curl

1) run "./configure"
2) run "make"
3) run "make install" as root
4) If running Yubikey authentication against Yoracle, copy to a
   good place, like /usr/local/sbin, or use your own authenticator.

Put this *before* the pam_unix line in /etc/pam.d/ssh (or
/etc/pam.d/common-auth on debian for all login methods):
  auth sufficient /usr/local/lib/ \
           exec=/.../ \
           prompt=Yubikey:_ \

(on one line, and no backslashes. Solaris is more complicated, so improvise)

The optional 'userconf' parameter is used to check if there is even a
point to running the script. If the 'userconf' parameter is used then
that file must exist, or pam_externalpass will not even ask for a

Make sure your /etc/ssh/sshd_config (or equivalent) has:
  ChallengeResponseAuthentication yes
  UsePAM yes
... or at least not "no". You'll know this is wrong if you never get a Yubikey
prompt when you log in.

Local authentication using yoracle
If you want the server you log in to to run yoracle locally then have
pam_externalpass run directly using exec=. It's coded to
understand pam_externalpass.

  git clone

Config per-user (yubikey auth using the included
Put a list of keys and authservers in a users ~/.yubikeys. For example this
line would be to authenticate key xxxaaaxxxaaa agains
which is running a yoracle as an HTTPS server.:

(the key id is the first 12 characters of every token you generate)

The authenticator client currently only works with my yoracle
authenticator. I will add support for the official protocol when I get
around to it. It won't take long, but nobody (even I) have said that
they need it.

If you're using HTTPS, make sure the certificate chain is accepted by
the system. If it fails, try running:
  curl -v -s
That should show you any SSL issues you may have. When in doubt, try running
plain unencrypted HTTP.

If you don't have a signed domain (for example if it's self-signed),
edit and add "--cafile /path/to/your/ca.crt" to the curl cmd.

Thank you for adding support for dvorak to your yubikey apps. All my yubikey
stuff (including this code) has support for it.


Spawn external program from PAM to do authentication




No releases published


No packages published