ykpamcfg − Manage user settings for the Yubico PAM module
ykpamcfg [−1 | −2] [−A] [−p] [−i] [−v] [−V] [−h]
−1
Use slot 1. This is the default.
−2
Use slot 2.
−A action
Choose action to perform. See ACTIONS below.
−p path
Specify output file, default is ˜/.yubico/challenge.
−i iterations
Number of iterations to use for PBKDF2 of expected response.
−v
Enable verbose mode.
−V
Display version and exit.
−h
Display help and exit.
The PAM module can utilize the HMAC−SHA1 Challenge−response (C/R) mode found in YubiKeys starting with version 2.2 for offline authentication. This action creates the initial state information with the C/R to be issued at the next logon.
The utility currently outputs the state information to a file in the current user’s home directory (˜/.yubico/challenge−123456 for a YubiKey with serial number API readout enabled, and ˜/.yubico/challenge for one without).
The PAM module supports a system−wide directory for these state files (in case the user’s home directories are encrypted), but in a system−wide directory, the challenge part should be replaced with the username. Example: /var/yubico/challenges/alice−123456
To use the system−wide mode, you currently have to move the generated state files manually and configure the PAM module accordingly.
First, program a YubiKey for challenge−response on slot 2:
$ ykpersonalize
−2 −ochal−resp −ochal−hmac
−ohmac−lt64
−oserial−api−visible
...
Commit? (y/n) [n]: y
Now, set the current user to require this YubiKey for logon:
$ ykpamcfg
−2 −v
...
Stored initial challenge and expected response in
'/home/alice/.yubico/challenge−123456'.
Then, configure authentication with PAM for example like this (make a backup first):
/etc/pam.d/common−auth (from Ubuntu 10.10):
auth required
pam_unix.so nullok_secure try_first_pass
auth [success=1 new_authtok_reqd=ok ignore=ignore
default=die] pam_yubico.so mode=challenge−response
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_ecryptfs.so unwrap
Report ykpamcfg bugs in the issue tracker: https://github.com/Yubico/yubico−pam/issues
pam_yubico(8)
The yubico−pam home page: https://developers.yubico.com/yubico−pam/
YubiKeys can be obtained from Yubico: http://www.yubico.com/