1YKPAMCFG(1)                Yubico PAM Module Manual                YKPAMCFG(1)
2
3
4

NAME

6       ykpamcfg - Manage user settings for the Yubico PAM module
7

SYNOPSIS

9       ykmapcfg [-1 | -2] [-A] [-p] [-i] [-v] [-V] [-h]
10

OPTIONS

12       -1
13           use slot 1. This is the default.
14
15       -2
16           use slot 2.
17
18       -A action
19           choose action to perform. See ACTIONS below.
20
21       -p path
22           specify output file, default is ~/.yubico/challenge
23
24       -i iterations
25           number of iterations to use for pbkdf2 of expected response
26
27       -v
28           enable verbose mode.
29
30       -V
31           display version and exit
32
33       -h
34           display help and exit
35

ACTIONS

37   add_hmac_chalresp
38       The PAM module can utilize the HMAC-SHA1 Challenge-Response mode found
39       in YubiKeys starting with version 2.2 for offline authentication. This
40       action creates the initial state information with the C/R to be issued
41       at the next logon.
42
43       The utility currently outputs the state information to a file in the
44       current user’s home directory (~/.yubico/challenge-123456 for a YubiKey
45       with serial number API readout enabled, and ~/.yubico/challenge for one
46       without).
47
48       The PAM module supports a system wide directory for these state files
49       (in case the user’s home directories are encrypted), but in a system
50       wide directory, the challenge part should be replaced with the
51       username. Example : /var/yubico/challenges/alice-123456.
52
53       To use the system-wide mode, you currently have to move the generated
54       state files manually and configure the PAM module accordingly.
55

EXAMPLES

57       First, program a YubiKey for challenge response on Slot 2 :
58
59           $ ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible
60           ...
61           Commit? (y/n) [n]: y
62
63       Now, set the current user to require this YubiKey for logon :
64
65           $ ykpamcfg -2 -v
66           ...
67           Stored initial challenge and expected response in '/home/alice/.yubico/challenge-123456'.
68
69       Then, configure authentication with PAM for example like this (make a
70       backup first) :
71
72       /etc/pam.d/common-auth (from Ubuntu 10.10) :
73
74           auth  required        pam_unix.so nullok_secure try_first_pass
75           auth  [success=1 new_authtok_reqd=ok ignore=ignore default=die] pam_yubico.so mode=challenge-response
76           auth  requisite       pam_deny.so
77           auth  required        pam_permit.so
78           auth  optional        pam_ecryptfs.so unwrap
79

BUGS

81       Report ykpamcfg bugs in the issue tracker:
82       https://github.com/Yubico/yubico-pam/issues
83

SEE ALSO

85       pam_yubico(8)
86
87       The yubico-pam home page: https://developers.yubico.com/yubico-pam/
88
89       YubiKeys can be obtained from Yubico: http://www.yubico.com/
90
91
92
93yubico-pam                       Version 2.25                      YKPAMCFG(1)
Impressum