Spawn external program from PAM to do authentication
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
.gitignore autotools files added May 13, 2009
config.guess autotools files added May 13, 2009 Check for pam library May 28, 2009
configure No more automatic spurious recreations of configure & friends Jun 1, 2009 No more automatic spurious recreations of configure & friends Jun 1, 2009
install-sh autotools files added May 13, 2009
pam_externalpass.c Revert "Change file exist check from access() to stat()" May 31, 2011 handle /dev/log being missing Sep 20, 2009



 PAM Externalpass

   By Thomas Habets <>

This code is for the authenticator client. E.g. a server that is to be
logged into. Tested to work with FreeBSD, Linux and Solaris.

Clone git repo:
  git clone git://

Github page:

For the PAM module:
* libpam development libraries (in Debian: aptitude install libpam-dev)
* Working C compiler etc...

For the Yubikey authenticator script (
* python
* curl

1) run "./configure"
2) run "make"
3) run "make install" as root
4) If running Yubikey authentication against Yoracle, copy to a
   good place, like /usr/local/sbin, or use your own authenticator.

Put this *before* the pam_unix line in /etc/pam.d/ssh (or
/etc/pam.d/common-auth on debian for all login methods):
  auth sufficient /usr/local/lib/ \
           exec=/.../ \
           prompt=Yubikey:_ \

(on one line, and no backslashes. Solaris is more complicated, so improvise)

The optional 'userconf' parameter is used to check if there is even a
point to running the script. If the 'userconf' parameter is used then
that file must exist, or pam_externalpass will not even ask for a

Make sure your /etc/ssh/sshd_config (or equivalent) has:
  ChallengeResponseAuthentication yes
  UsePAM yes
... or at least not "no". You'll know this is wrong if you never get a Yubikey
prompt when you log in.

Local authentication using yoracle
If you want the server you log in to to run yoracle locally then have
pam_externalpass run directly using exec=. It's coded to
understand pam_externalpass.

  git clone

Config per-user (yubikey auth using the included
Put a list of keys and authservers in a users ~/.yubikeys. For example this
line would be to authenticate key xxxaaaxxxaaa agains
which is running a yoracle as an HTTPS server.:

(the key id is the first 12 characters of every token you generate)

The authenticator client currently only works with my yoracle
authenticator. I will add support for the official protocol when I get
around to it. It won't take long, but nobody (even I) have said that
they need it.

If you're using HTTPS, make sure the certificate chain is accepted by
the system. If it fails, try running:
  curl -v -s
That should show you any SSL issues you may have. When in doubt, try running
plain unencrypted HTTP.

If you don't have a signed domain (for example if it's self-signed),
edit and add "--cafile /path/to/your/ca.crt" to the curl cmd.

Thank you for adding support for dvorak to your yubikey apps. All my yubikey
stuff (including this code) has support for it.