1PAM_YUBICO(8) Yubico PAM Module Manual PAM_YUBICO(8)
2
6 pam_yubico - Module for YubiKey authentication
7
9 pam_yubico [...]
10
12 The module is for authentication of YubiKeys, either with online
13 validation of OTP, or offline validation with HMAC-SHA1
14 challenge-response.
15
17 debug
18 Turns on debugging.
19 debug_file=file
21 File name to write debug to, the file must exist and be a regular
22 file. Defaults to stdout.
23 mode=[client|challenge-response]
25 Set the mode of operation, client for OTP validation and
26 challenge-response for challenge-response validation, client is the
27 default.
28 authfile=file
30 Set the location of the file that holds the mappings of Yubikey
31 token IDs to user names. The format is
32 username:first_public_id:second_public_id:... default location of
33 the file is $HOME/.yubico/authorized_yubikeys.
34 id=id
36 Set to your client identity.
37 key=key
39 Set to your client key in base64 format. The client key is also
40 known as API key, and provides integrity in the communication
41 between the client (you) and the validation server. If you want to
42 get one for use with the default YubiCloud service, please go to
43 https://upgrade.yubico.com/getapikey/
44 alwaysok
46 Set to enable all authentication attempts to succeed (aka
47 presentation mode).
48 try_first_pass
50 Before prompting the user for their password, the module first
51 tries the previous stacked module´s password in case that satisfies
52 this module as well.
53 use_first_pass
55 The argument use_first_pass forces the module to use a previous
56 stacked modules password and will never prompt the user - if no
57 password is available or the password is not appropriate, the user
58 will be denied access.
59 nullok
61 If set, don’t fail when there are no tokens declared for the user
62 in the authorization mapping files or in LDAP. This can be used to
63 make YubiKey authentication optional unless the user has associated
64 tokens.
65 urllist=list
67 List of URL templates to be used. This is set by calling
68 ykclient_set_url_bases. The list should be in the format:
69 https://api1.example.com/wsapi/2.0/verify;https://api2.example.com/wsapi/2.0/verify
70 url=url
72 This option should not be used, please use the urllist option
73 instead. Set the URL template to use, this is set by calling
74 ykclient_set_url_template. The URL should be set in the format
75 https://api.example.com/wsapi/2.0/verify?id=%d&otp=%s
76 capath=path
78 Specify the path where X509 certificates are stored. This is
79 required if https or ldaps are used in url and ldap_uri
80 respectively.
81 proxy=proxy
83 Specify a proxy to connect to the validation server. Valid schemes
84 are http://, https://, socks4://, socks4a://, socks5:// or
85 socks5h://. Socks5h asks the proxy to do the dns resolving. If no
86 scheme or port is specified HTTP proxy port 1080 will be used. E.g.
87 socks5h://user:pass@10.10.0.1:1080
88 verbose_otp
90 This argument is used to show the OTP (One Time Password) when it
91 is entered, i.e. to enable terminal echo of entered characters. You
92 are advised to not use this, if you are using two factor
93 authentication because that will display your password on the
94 screen. This requires the service using the PAM module to display
95 custom fields. This option can not be used with OpenSSH.
96 ldap_uri=uri
98 Specify the LDAP server URI (e.g. ldap://localhost).
99 ldap_server=server
101 Specify the LDAP server host (default LDAP port is used).
102 Deprecated. Use ldap_uri instead.
103 ldapdn=dn
105 The dn where the users are stored (eg: ou=users,dc=domain,dc=com).
106 If ldap_filter is used this is the base from which the subtree
107 search will be performed.
108 user_attr=attr
110 The LDAP attribute used to store user names (eg:cn).
111 yubi_attr=attr
113 The LDAP attribute used to store the Yubikey id.
114 yubi_attr_prefix=prefix
116 The prefix of the LDAP attribute’s value, in case of a generic
117 attribute, used to store several types of ids.
118 token_id_length=length
120 Length of ID prefixing the OTP (this is 12 if using the YubiCloud).
121 ldap_bind_user=user
123 The user to attempt a LDAP bind as.
124 ldap_bind_password=password
126 The password to use on LDAP bind.
127 ldap_filter=filter
129 An ldap filter to use for attempting to find the correct object in
130 LDAP. In this string %u will be replaced with the username.
131 ldap_cacertfile=cacertfile
133 Ca certfile for the LDAP connection.
134 chalresp_path=path
136 Path of a system wide directory where challenge response files can
137 be found for users. Default location is $HOME/.yubico/
138
140 auth sufficient pam_yubico.so id=16 debug
141 auth required pam_yubico.so mode=challenge-response
143 auth required pam_yubico.so id=16 ldap_uri=ldaps://ldap.example.com ldap_filter=(uid=%u) yubi_attr=yubiKeyId
145
147 $HOME/.yubico/authorized_yubikeys
148 If authfile is not set this file is used for the mapping between
149 YubiKey public id and in client mode.
150 $HOME/.yubico/challenge, $HOME/.yubico/challenge-serial_number
152 If chalresp_path is not set these files are used to hold next
153 challenge and expected response for the user in challenge-response
154 mode. If chalresp_path is set the filename will be username instead
155 of challenge.
156
158 Report yubico-pam bugs in the issue tracker:
159 https://github.com/Yubico/yubico-pam/issues
160
162 ykpamcfg(1), pam(7)
163 The yubico-pam home page: https://developers.yubico.com/yubico-pam/
165 YubiKeys can be obtained from Yubico: http://www.yubico.com/
167yubico-pam Version 2.26 PAM_YUBICO(8)