Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
21 changed files
with
2,407 additions
and
4 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
*.bak | ||
*.lo | ||
*.log | ||
*.o | ||
*.trs | ||
*~ | ||
.deps | ||
.libs | ||
ChangeLog | ||
INSTALL | ||
Makefile | ||
Makefile.in | ||
aclocal.m4 | ||
autom4te.cache/ | ||
build-aux/ar-lib | ||
build-aux/compile | ||
build-aux/config.guess | ||
build-aux/config.sub | ||
build-aux/depcomp | ||
build-aux/install-sh | ||
build-aux/ltmain.sh | ||
build-aux/missing | ||
build-aux/test-driver | ||
config.log | ||
config.status | ||
configure | ||
libtool | ||
libu2f-server-*.tar.xz* | ||
m4/libtool.m4 | ||
m4/ltoptions.m4 | ||
m4/ltsugar.m4 | ||
m4/ltversion.m4 | ||
m4/lt~obsolete.m4 | ||
tests/.deps/ | ||
tests/Makefile | ||
tests/Makefile.in | ||
tests/basic | ||
pam_u2f.la | ||
pam_u2f.8 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
Alessio Di Mauro <alessio@yubico.com> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
Author: Yubico | ||
Basename: pam-u2f | ||
Homepage: https://developers.yubico.com/pam-u2f/ | ||
License: PAM | ||
Name: pam-u2f | ||
Project: pam-u2f | ||
Summary: Pluggable Authentication Module (PAM) Universal 2nd Factor (U2F) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
Copyright (c) 2014 Yubico AB | ||
All rights reserved. | ||
|
||
Redistribution and use in source and binary forms, with or without | ||
modification, are permitted provided that the following conditions are | ||
met: | ||
|
||
* Redistributions of source code must retain the above copyright | ||
notice, this list of conditions and the following disclaimer. | ||
|
||
* Redistributions in binary form must reproduce the above copyright | ||
notice, this list of conditions and the following disclaimer in the | ||
documentation and/or other materials provided with the | ||
distribution. | ||
|
||
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS | ||
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT | ||
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR | ||
A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT | ||
OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, | ||
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT | ||
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, | ||
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY | ||
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT | ||
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE | ||
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,68 @@ | ||
# Copyright (C) 2014 Yubico AB - See COPYING | ||
|
||
SUBDIRS = . tests | ||
|
||
ACLOCAL_AMFLAGS = -I m4 | ||
|
||
AM_CFLAGS = $(WARN_CFLAGS) | ||
|
||
libdir = $(PAMDIR) | ||
|
||
lib_LTLIBRARIES = pam_u2f.la | ||
|
||
pam_u2f_la_SOURCES = pam-u2f.c | ||
pam_u2f_la_SOURCES += util.c util.h | ||
# XXX add -Wl,-x too? PAM documentation suggests it. | ||
pam_u2f_la_LIBADD = -lpam | ||
pam_u2f_la_LIBADD += $(LIBU2FHOST_LIBS) $(LIBU2FSERVER_LIBS) | ||
pam_u2f_la_LDFLAGS = -module -avoid-version | ||
|
||
DEFS = -DDEBUG_PAM -DPAM_DEBUG @DEFS@ | ||
|
||
dist_man8_MANS = pam_u2f.8 | ||
DISTCLEANFILES = $(dist_man8_MANS) | ||
|
||
MANSOURCES = pam_u2f.8.txt | ||
EXTRA_DIST = $(MANSOURCES) | ||
|
||
SUFFIXES = .1.txt .1 .8.txt .8 | ||
|
||
.8.txt.8: | ||
$(A2X) --format=manpage -a revdate="Version $(VERSION)" $< | ||
|
||
# Release | ||
|
||
indent: | ||
indent -kr -nut -i2 *.c *.h | ||
indent -kr -nut -i2 *.c *.h | ||
|
||
ChangeLog: | ||
cd $(srcdir) && git2cl > ChangeLog | ||
|
||
PROJECT = pam-u2f | ||
|
||
release: | ||
@if test -z "$(KEYID)"; then \ | ||
echo "Try this instead:"; \ | ||
echo " make release KEYID=[PGPKEYID]"; \ | ||
echo "For example:"; \ | ||
echo " make release KEYID=2117364A"; \ | ||
exit 1; \ | ||
fi | ||
@head -3 $(srcdir)/NEWS | grep -q "Version $(VERSION) .released `date -I`" || \ | ||
(echo 'error: Update date/version in $(srcdir)/NEWS.'; exit 1) | ||
@if test ! -d "$(YUBICO_WWW_REPO)"; then \ | ||
echo "WWW repo not found!"; \ | ||
echo "Make sure that YUBICO_WWW_REPO is set"; \ | ||
exit 1; \ | ||
fi | ||
rm -f ChangeLog | ||
make check-doc-dist ChangeLog distcheck | ||
gpg --detach-sign --default-key $(KEYID) $(PACKAGE)-$(VERSION).tar.gz | ||
gpg --verify $(PACKAGE)-$(VERSION).tar.gz.sig | ||
cd $(srcdir) && git push | ||
cd $(srcdir) && git tag -u $(KEYID) -m $(VERSION) $(VERSION) | ||
cd $(srcdir) && git push --tags | ||
$(YUBICO_GITHUB_REPO)/save-mans $(PROJECT) $(MANSOURCES) | ||
$(YUBICO_GITHUB_REPO)/publish $(PROJECT) $(VERSION) $(PACKAGE)-$(VERSION).tar.gz* | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
Copyright (c) 2014 Yubico AB - See COPYING | ||
|
||
pam-u2f NEWS -- History of user-visible changes. -*- outline -*- | ||
|
||
* Version 0.0.0 (unreleased) | ||
|
||
** Initial release. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,193 @@ | ||
Pluggable Authentication Module (PAM) Universal 2nd Factor (U2F) | ||
================================================================ | ||
|
||
The PAM U2F module provides an easy way to integrate the Yubikey (or | ||
other U2F-compliant authenticators) into your existing user | ||
authentication infrastructure. PAM is used by GNU/Linux, Solaris and | ||
Mac OS X for user authentication. | ||
|
||
Introduction | ||
------------ | ||
|
||
This module implements PAM authentication over U2F. Registration should | ||
be performed using other tools. Multiple devices are supported, for | ||
details check the <<devices, Multiple Devices>> section. | ||
|
||
For more information visit the project page | ||
https://developers.yubico.com/pam-u2f/[pam-u2f project]. | ||
|
||
License | ||
------- | ||
|
||
The project is licensed under a BSD license. See the file COPYING for | ||
exact wording. For any copyright year range specified as YYYY-ZZZZ in | ||
this package note that the range specifies every single year in that | ||
closed interval. | ||
|
||
[[building]] | ||
Building | ||
-------- | ||
|
||
This project uses 'autoconf', 'automake' and 'libtool' to achieve | ||
portability and ease of use. If you downloaded a tarball, build it as | ||
follows. | ||
|
||
----------- | ||
$ ./configure | ||
$ make check | ||
----------- | ||
|
||
Both the Yubico U2F host and server libaries are needed | ||
https://developers.yubico.com/libu2f-host[libu2f-host] | ||
https://developers.yubico.com/libuwf-server[libu2f-server] | ||
|
||
Building from Git | ||
----------------- | ||
|
||
You may check out the sources using Git with the following command: | ||
|
||
----------- | ||
$ git clone git://github.com/Yubico/pam-u2f.git | ||
----------- | ||
|
||
This will create a directory 'pam-u2f'. Enter the directory: | ||
|
||
----------- | ||
$ cd pam-u2f | ||
----------- | ||
|
||
Autoconf, automake and libtool must be installed. AsciiDoc is used to | ||
generate the manpages. | ||
|
||
Debian: apt-get install autoconf automake libtool asciidoc | ||
|
||
Generate the build system using: | ||
|
||
----------- | ||
$ autoreconf --install | ||
----------- | ||
|
||
Then build as usual, see above under <<building,Building>>. | ||
|
||
Installation | ||
------------ | ||
|
||
Once the module is built copy the file +pam_u2f.so+ to the correct | ||
directory for your system. Typically +/lib/security/ or | ||
+/lib/x86_64-linux-gnu/security/+. | ||
|
||
Create a file for a new service in +/etc/pam.d/+ or edit an already | ||
existing one by adding a line similar to this: | ||
|
||
---- | ||
auth sufficient pam_u2f.so debug | ||
---- | ||
|
||
Supported parameters for the module are: | ||
|
||
[horizontal] | ||
debug:: | ||
Turns on debugging to STDOUT | ||
|
||
origin=origin:: | ||
Set the origin for the U2F authentication procedure. | ||
If no value is specified, the origin "http://localhost" is used. | ||
|
||
appid=appid:: | ||
Set the application ID for the U2F authentication procedure. | ||
If no value is specified, the same value used for origin is taken | ||
("http://localhost" if also origin is not specified). | ||
|
||
authfile=file:: | ||
Set the location of the file that holds the mappings of user names | ||
to keyHandles and user keys. The format is | ||
+username:first_keyHandle,first_public_key: | ||
second_keyHandle,second_public_key:...+ the default location of the | ||
file is $HOME/.yubico/u2f_keys | ||
(more on <<files,Authorization Mapping Files>>). | ||
|
||
alwaysok:: | ||
Set to enable all authentication attempts to succeed (aka presentation mode). | ||
|
||
max_devices=n_devices:: | ||
Maximum number of devices allowed per user (default is 24). Devices specified | ||
in the authentication file that exceed this value will be ignored. | ||
|
||
[[files]] | ||
Authorization Mapping Files | ||
--------------------------- | ||
A mapping must be made between the YubiKey token and the user name. | ||
There are two ways to do this, either centrally in one file, or | ||
individually, where users can create the mapping in their home directories. | ||
If the central authorization mapping file is being used, user home directory | ||
mappings will not be used and the opposite applies if user home directory | ||
mappings are being used, the central authorization mappings file will not | ||
be used. | ||
|
||
== Central authorization mapping | ||
Create a file e.g. `/etc/u2f_mappings`., The file must contain | ||
a user name, the number of registered Yubikeys and the information | ||
obtained during the registration procedure. | ||
|
||
The mappings should look like this, one per line: | ||
|
||
<username1>:<KeyHandle1>,<UserKey1>:<KeyHandle2>,<UserKey2>:... | ||
<username2>:<KeyHandle1>,<UserKey1>:<KeyHandle2>,<UserKey2>:... | ||
|
||
Now add `authfile=/etc/u2f_mappings` to your PAM configuration line, so it | ||
looks like: | ||
|
||
auth sufficient pam_u2f.so authfile=/etc/u2f_mappings | ||
|
||
== Individual authorization mapping by user | ||
Each user creates a `~/.yubico/u2f_keys` file inside of their home | ||
directory and places the mapping in that file, the file must have only one | ||
line: | ||
|
||
<username>:<KeyHandle1>,<UserKey1>:<KeyHandle2>,<UserKey2>:... | ||
|
||
This is much the same concept as the SSH authorized_keys file. | ||
|
||
Obtaining key-handles and public keys | ||
------------------------------------- | ||
|
||
In order to obtain the required information for the authentication procedure, | ||
a token should be first registered. This can be done by using the command line | ||
tools provided with libu2f-host and libu2f-server. For example the command: | ||
|
||
---- | ||
$ u2f-server -aregister -ohttp://localhost \ | ||
-ihttp://localhost -kkeyhandle.dat -puserkey.dat | ||
---- | ||
|
||
will produce two files with the required information. The content of | ||
the key-handle file can be used as it is since it is Base64 encoded. | ||
The content of the user key file must be first ASCII encoded. | ||
One way of doing so is by invoking the following command: | ||
|
||
---- | ||
$ xxd -p userkey.dat | ||
---- | ||
|
||
or | ||
|
||
---- | ||
$ hexdump -e '65/1 "%02x " "\n"' userkey.dat | ||
---- | ||
|
||
The output can then be copied into the authentication file. | ||
|
||
Multiple Devices | ||
---------------- | ||
|
||
Multiple devices are supported. If more than one device is specified, | ||
authentication against them is attempted sequentially as they are defined | ||
in the configuration file of the module. If during an authentication | ||
attempt a connected device is removed or a new device is plugged in, | ||
the authentication restarts from the top of the list. | ||
|
||
Portability | ||
----------- | ||
|
||
The main development platforms are Debian GNU/Linux and Ubuntu and they | ||
should be well supported. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
README |
Oops, something went wrong.