GitHub - ThomasHabets/pam_externalpass: Spawn external program from PAM to do authentication

Branches Tags

Name		Name	Last commit message	Last commit date
Latest commit History 78 Commits
.be		.be
.gitignore		.gitignore
COPYING		COPYING
Makefile.am		Makefile.am
Makefile.in		Makefile.in
README		README
__init__.py		__init__.py
acinclude.m4		acinclude.m4
aclocal.m4		aclocal.m4
config.guess		config.guess
config.h.in		config.h.in
config.sub		config.sub
configure		configure
configure.ac		configure.ac
depcomp		depcomp
install-sh		install-sh
ltmain.sh		ltmain.sh
missing		missing
pam_externalpass.c		pam_externalpass.c
yubiauth.py		yubiauth.py

Repository files navigation

pam_externalpass/README

 PAM Externalpass

   By Thomas Habets <thomas@habets.pp.se>


Intro
=====
This code is for the authenticator client. E.g. a server that is to be
logged into. Tested to work with FreeBSD, Linux and Solaris.

Urls
====
Clone git repo:
  git clone git://github.com/ThomasHabets/pam_externalpass.git

Github page:
  http://github.com/ThomasHabets/pam_externalpass

Dependencies
============
For the PAM module:
* libpam development libraries (in Debian: aptitude install libpam-dev)
* Working C compiler etc...

For the Yubikey authenticator script (yubiauth.py):
* python
* curl


Installing
==========
1) run "./configure"
2) run "make"
3) run "make install" as root
4) If running Yubikey authentication against Yoracle, copy yubiauth.py to a
   good place, like /usr/local/sbin, or use your own authenticator.


Configuring
===========
Put this *before* the pam_unix line in /etc/pam.d/ssh (or
/etc/pam.d/common-auth on debian for all login methods):
  auth sufficient /usr/local/lib/libpam_externalpass.so \
           exec=/.../yubiauth.py \
           prompt=Yubikey:_ \
           userconf=%h/.yubikeys

(on one line, and no backslashes. Solaris is more complicated, so improvise)

The optional 'userconf' parameter is used to check if there is even a
point to running the script. If the 'userconf' parameter is used then
that file must exist, or pam_externalpass will not even ask for a
password.

Make sure your /etc/ssh/sshd_config (or equivalent) has:
  ChallengeResponseAuthentication yes
  UsePAM yes
... or at least not "no". You'll know this is wrong if you never get a Yubikey
prompt when you log in.


Local authentication using yoracle
----------------------------------
If you want the server you log in to to run yoracle locally then have
pam_externalpass run yoracle.py directly using exec=. It's coded to
understand pam_externalpass.

  git clone http://cvs.habets.pp.se/~marvin/git/yoracle.git


Config per-user (yubikey auth using the included yubiauth.py)
=============================================================
Put a list of keys and authservers in a users ~/.yubikeys. For example this
line would be to authenticate key xxxaaaxxxaaa agains authserver.example.com
which is running a yoracle as an HTTPS server.:
   xxxaaaxxxaaa https://authserver.example.com/auth/0/?token=%(token)s

(the key id is the first 12 characters of every token you generate)

The authenticator client currently only works with my yoracle
authenticator. I will add support for the official protocol when I get
around to it. It won't take long, but nobody (even I) have said that
they need it.

If you're using HTTPS, make sure the certificate chain is accepted by
the system. If it fails, try running:
  curl -v -s https://authserver.example.com
That should show you any SSL issues you may have. When in doubt, try running
plain unencrypted HTTP.

If you don't have a signed domain (for example if it's self-signed),
edit yubiauth.py and add "--cafile /path/to/your/ca.crt" to the curl cmd.


P.S.
====
Thank you for adding support for dvorak to your yubikey apps. All my yubikey
stuff (including this code) has support for it.