pam_yubico(8)pam_yubico(8)NAMEpam_yubico - Module for YubiKey authentication
SYNOPSISpam_yubico [...]
DESCRIPTION
The module is for authentication of YubiKeys, either with online vali‐
dation of OTP, or offline validation with HMAC-SHA1 challenge-response.
OPTIONS
debug Turns on debugging to STDOUT
mode=[client|challenge-response]
Set the mode of operation, client for OTP validation and chal‐
lenge-response for challenge-response validation, client is the
default.
authfile=file
Set the location of the file that holds the mappings of Yubikey
token IDs to user names. The format is username:first_pub‐
lic_id:second_public_id:... default location of the file is
$HOME/.yubico/authorized_yubikeys.
id=id Set to your client identity.
key=key
Set to your client key in base64 format. The client key is also
known as API key, and provides integrity in the communication
between the client (you) and the validation server. If you want
to get one for use with the default YubiCloud service, visit
this URL: ⟨https://upgrade.yubico.com/getapikey/⟩
alwaysok
Set to enable all authentication attempts to succeed (aka pre‐
sentation mode).
try_first_pass
Before prompting the user for their password, the module first
tries the previous stacked module´s password in case that satis‐
fies this module as well.
use_first_pass
The argument use_first_pass forces the module to use a previous
stacked modules password and will never prompt the user - if no
password is available or the password is not appropriate, the
user will be denied access.
urllist=list
List of URL templates to be used. This is set by calling
ykclient_set_url_bases. The list should be in the format
⟨https://api1.example.com/wsapi/2.0/verify;https://
api2.example.com/wsapi/2.0/verify⟩
url=url
This option should not be used, please use the urllist option
instead. Set the URL template to use, this is set by calling
ykclient_set_url_template. The URL should be set in the format
⟨https://api.example.com/wsapi/2.0/verify?id=%d&otp=%s⟩
capath=path
Specify the path where X509 certificates are stored. This is
required if 'https' or 'ldaps' are used in 'url' and 'ldap_uri'
respectively.
verbose_otp
This argument is used to show the OTP (One Time Password) when
it is entered, i.e. to enable terminal echo of entered charac‐
ters. You are advised to not use this, if you are using two
factor authentication because that will display your password on
the screen. This requires the service using the PAM module to
display custom fields. For example, OpenSSH requires you to
configure "ChallengeResponseAuthentication no".
ldap_uri=uri
Specify the LDAP server URI (e.g. ldap://localhost).
ldap_server=server
Specify the LDAP server host (default LDAP port is used). Dep‐
recated. Use ldap_uri instead.
ldapdn=dn
The dn where the users are stored (eg:
ou=users,dc=domain,dc=com).
user_attr=attr
The LDAP attribute used to store user names (eg:cn).
yubi_attr=attr
The LDAP attribute used to store the Yubikey id.
yubi_attr_prefix=prefix
The prefix of the LDAP attribute's value, in case of a generic
attribute, used to store several types of ids.
token_id_length=length
Length of ID prefixing the OTP (this is 12 if using the Yubi‐
Cloud).
EXAMPLES
auth sufficient pam_yubico.so id=16 debug
auth required pam_yubico.so mode=challenge-response
BUGS
Report yubico-pam bugs in the issue tracker ⟨https://github.com/Yubico/
yubico-pam/issues/⟩
SEE ALSO
The yubico-pam home page ⟨https://developers.yubico.com/yubico-pam/⟩
ykpamcfg(1), pam(7)
YubiKeys can be obtained from Yubico ⟨https://www.yubico.com/⟩.
yubico-pam October 2013 pam_yubico(8)
