blob: f0d2232139552e268e59f4d25d0a0894f1904cf1 (
plain)
1 Authenticating with HMAC-SHA1 Challenge-Response through linux-pam
2
3 You need a pam aware userland (e.g. shadow for login, sudo, sshd, ..) and
4 yubikey-personalization to succeed.
5 We will write our key to the second slot, as the first slot comes with a
6 higher secure level key which shouldn't be overwritten.
7
8 Then proceed as follows:
9
10 CHANGE {$USER} to your username!
11
12 $ ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible
13 $ sudo mkdir /var/yubico
14 $ sudo chown root:root /var/yubico
15 $ sudo chmod 700 /var/yubico
16 $ ykpamcfg -2 -v
17 $ sudo mv ~/.yubico/challenge-123456 /var/yubico/{$USER}-123456
18 $ sudo chown root:root /var/yubico/*
19 $ sudo chmod 600 /var/yubico/*
20
21 then, edit your relative pam files to contain this as the first auth paragraph:
22 auth sufficient pam_yubico.so mode=challenge-response
23 chalresp_path=/var/yubico
24
25 This way ('sufficient'), you can still authenticate with your normal password, in case you
26 brake your yubikey or you foobar'd.
|
