Skip to content
Yubico Pluggable Authentication Module (PAM)
C M4 Shell Makefile Perl
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.


#summary Installation and configuration of the Yubico PAM module
#labels Featured,Phase-Deploy

= Yubico PAM module =

The Yubico PAM module provides an easy way to integrate the Yubikey
into your existing user authentication infrastructure.  PAM is used by
GNU/Linux, Solaris and Mac OS X for user authentication, and by other
specialized applications such as NCSA !MyProxy.

== Status and Roadmap ==

The module is working for multi-user systems.  It does not support
disconnected mode, for that there is another Yubico PAM module that
uses the AES key.

The development community is co-ordinated via Google Code:

The license for pam_yubico is the 2-clause BSD license, which is
compatible with the Linux-PAM BSD/GPL license.  See the file COPYING
for more information.

== Building from SVN ==

Skip to the next section if you are using an official packaged

You may check out the sources using SVN with the following command:

  svn checkout yubico-pam

This will create a directory 'yubico-pam'.  Enter the directory:

  cd yubico-pam

Autoconf, automake and libtool must be installed.  For the
documentation, asciidoc and docbook are also required.

Generate the build system using:

  autoreconf --install

== Building ==

You will need to have libyubikey-client (libykclient.h, and libpam-dev (security/pam_appl.h,
installed.  Get the libyubikey-client library from:

The build system uses Autoconf, to set up the build system run:

use --without-ldap to disable ldap support

Then build the code, run the self-test and install the binaries:

  make check install

It in turn requires Curl, which you need to have installed.

== Configuration ==

Install it in your PAM setup by adding a line to an appropriate file
in /etc/pam.d/:

  auth sufficient id=16 debug

and move into /lib/security/:

  mv /usr/local/lib/security/ /lib/security/

For more information, see the project Wiki page.

Supported PAM module parameters are:

  "id":         to indicate your client identity,
  "debug":      to enable debug output to stdout,
  "alwaysok":   to enable that all authentication attempts should succeed
                (aka presentation mode).

           Before prompting the user for their password, the module first
           tries the previous stacked module´s password in case that satisfies
           this module as well.

           The argument use_first_pass forces the module to use a previous
           stacked modules password and will never prompt the user - if no
           password is available or the password is not appropriate, the user
           will be denied access.

  "url":        specify the URL template to use, this is set by calling
                yubikey_client_set_url_template, which uses by default:
  "ldapserver": specifiy the ldap server host (default ldap port is used)
  "ldapdn":     specify the dn where the users are stored (eg: ou=users,dc=domain,dc=com)
  "user_attr":  specify the attribute used to store usernames (eg:cn)
  "yubi_attr":  specify the attribute used to store the yubikey id

If you are using "debug" you may find it useful to create a
world-writable log file:

  touch /var/run/pam-debug.log 
  chmod go+w /var/run/pam-debug.log 

== Examples ==

If you want to use the Yubikey to authenticate you on linux console
logins, add the following to the top of /etc/pam.d/login:

auth sufficient id=16 debug

== Feedback ==

If you want to discuss anything related to the Yubico PAM module,
please contact Simon Josefsson <>.
Something went wrong with that request. Please try again.