1PAM_YUBICO(8)              Yubico PAM Module Manual              PAM_YUBICO(8)
2
3
4

NAME

6       pam_yubico - Module for YubiKey authentication
7

SYNOPSIS

9       pam_yubico [...]
10

DESCRIPTION

12       The module is for authentication of YubiKeys, either with online
13       validation of OTP, or offline validation with HMAC-SHA1
14       challenge-response.
15

OPTIONS

17       debug
18           Turns on debugging.
19
20       debug_file=file
21           File name to write debug to, the file must exist and be a regular
22           file. Defaults to stdout.
23
24       mode=[client|challenge-response]
25           Set the mode of operation, client for OTP validation and
26           challenge-response for challenge-response validation, client is the
27           default.
28
29       authfile=file
30           Set the location of the file that holds the mappings of Yubikey
31           token IDs to user names. The format is
32           username:first_public_id:second_public_id:... default location of
33           the file is $HOME/.yubico/authorized_yubikeys.
34
35       id=id
36           Set to your client identity.
37
38       key=key
39           Set to your client key in base64 format. The client key is also
40           known as API key, and provides integrity in the communication
41           between the client (you) and the validation server. If you want to
42           get one for use with the default YubiCloud service, please go to
43           https://upgrade.yubico.com/getapikey/
44
45       alwaysok
46           Set to enable all authentication attempts to succeed (aka
47           presentation mode).
48
49       try_first_pass
50           Before prompting the user for their password, the module first
51           tries the previous stacked module´s password in case that satisfies
52           this module as well.
53
54       use_first_pass
55           The argument use_first_pass forces the module to use a previous
56           stacked modules password and will never prompt the user - if no
57           password is available or the password is not appropriate, the user
58           will be denied access.
59
60       nullok
61           If set, don’t fail when there are no tokens declared for the user
62           in the authorization mapping files or in LDAP. This can be used to
63           make YubiKey authentication optional unless the user has associated
64           tokens.
65
66       urllist=list
67           List of URL templates to be used. This is set by calling
68           ykclient_set_url_bases. The list should be in the format:
69           https://api1.example.com/wsapi/2.0/verify;https://api2.example.com/wsapi/2.0/verify
70
71       url=url
72           This option should not be used, please use the urllist option
73           instead. Set the URL template to use, this is set by calling
74           ykclient_set_url_template. The URL should be set in the format
75           https://api.example.com/wsapi/2.0/verify?id=%d&otp=%s
76
77       capath=path
78           Specify the path where X509 certificates are stored. This is
79           required if https or ldaps are used in url and ldap_uri
80           respectively.
81
82       proxy=proxy
83           Specify a proxy to connect to the validation server. Valid schemes
84           are http://, https://, socks4://, socks4a://, socks5:// or
85           socks5h://. Socks5h asks the proxy to do the dns resolving. If no
86           scheme or port is specified HTTP proxy port 1080 will be used. E.g.
87           socks5h://user:pass@10.10.0.1:1080
88
89       verbose_otp
90           This argument is used to show the OTP (One Time Password) when it
91           is entered, i.e. to enable terminal echo of entered characters. You
92           are advised to not use this, if you are using two factor
93           authentication because that will display your password on the
94           screen. This requires the service using the PAM module to display
95           custom fields. This option can not be used with OpenSSH.
96
97       ldap_uri=uri
98           Specify the LDAP server URI (e.g. ldap://localhost).
99
100       ldap_server=server
101           Specify the LDAP server host (default LDAP port is used).
102           Deprecated. Use ldap_uri instead.
103
104       ldapdn=dn
105           The dn where the users are stored (eg: ou=users,dc=domain,dc=com).
106           If ldap_filter is used this is the base from which the subtree
107           search will be performed.
108
109       user_attr=attr
110           The LDAP attribute used to store user names (eg:cn).
111
112       yubi_attr=attr
113           The LDAP attribute used to store the Yubikey id.
114
115       yubi_attr_prefix=prefix
116           The prefix of the LDAP attribute’s value, in case of a generic
117           attribute, used to store several types of ids.
118
119       token_id_length=length
120           Length of ID prefixing the OTP (this is 12 if using the YubiCloud).
121
122       ldap_bind_user=user
123           The user to attempt a LDAP bind as.
124
125       ldap_bind_password=password
126           The password to use on LDAP bind.
127
128       ldap_filter=filter
129           An ldap filter to use for attempting to find the correct object in
130           LDAP. In this string %u will be replaced with the username.
131
132       ldap_cacertfile=cacertfile
133           Ca certfile for the LDAP connection.
134
135       chalresp_path=path
136           Path of a system wide directory where challenge response files can
137           be found for users. Default location is $HOME/.yubico/
138

EXAMPLES

140           auth sufficient pam_yubico.so id=16 debug
141
142           auth required pam_yubico.so mode=challenge-response
143
144           auth required pam_yubico.so id=16 ldap_uri=ldaps://ldap.example.com ldap_filter=(uid=%u) yubi_attr=yubiKeyId
145

FILES

147       $HOME/.yubico/authorized_yubikeys
148           If authfile is not set this file is used for the mapping between
149           YubiKey public id and in client mode.
150
151       $HOME/.yubico/challenge, $HOME/.yubico/challenge-serial_number
152           If chalresp_path is not set these files are used to hold next
153           challenge and expected response for the user in challenge-response
154           mode. If chalresp_path is set the filename will be username instead
155           of challenge.
156

BUGS

158       Report yubico-pam bugs in the issue tracker:
159       https://github.com/Yubico/yubico-pam/issues
160

SEE ALSO

162       ykpamcfg(1), pam(7)
163
164       The yubico-pam home page: https://developers.yubico.com/yubico-pam/
165
166       YubiKeys can be obtained from Yubico: http://www.yubico.com/
167
168
169
170yubico-pam                       Version 2.26                    PAM_YUBICO(8)
Impressum