yubikey and ldap user authentication with pam for radius server

[Robert Pearce]

On 20/03/14 15:03, Nick Owen wrote:
> I'm not familiar with the yubikey libraries (as I work for a
> competitor ;-), but why use them at all?  Don't you want to use
> radius?  I'm fairly certain that yubikey supports it.
> 
> here's a tutorial on adding 2FA to pam using radius:
> http://www.wikidsystems.com/support/wikid-support-center/how-to/pam-radius-how-to
>  or http://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-configure-pam-radius-in-ubuntu
> for ubuntu.
> 
> And here is one on having freeradius in the middle to perform
> authorization in ldap and then proxy the cred to another server for
> authentication.  our example is a WiKID server, but radius is radius
> and it works well anywhere.
> 
> HTH,

I think i may have explained badly. I'm not trying to make pam use
radius, i'm making radius use pam.

I'm setting up a radius server which cisco gear can utilise for their
vpn servers. I've backed radius against PAM, and pam is using yubikey
and ldap password as the two factors.

I've actually got this working now, with a pam file the looks like:

#%PAM-1.0
auth required pam_yubico.so id=1 authfile=/etc/sysconfig/yubikey
auth required pam_ldap.so use_first_pass config=/etc/pam_ldap.conf-radius
auth optional pam_deny.so
account required pam_ldap.so use_first_pass config=/etc/pam_ldap.conf-radius
account optional pam_deny.so


This seems to work but it requires the user's password and the yubikey
token be concatenated together as one single response, and I'd prefer a
two step challenge and response process if possible. Do you know what i
might need to alter to make this so ?

Notice: This email and any attachments are confidential.
If received in error please destroy and immediately notify us.
Do not copy or disclose the contents.