yubikey and ldap user authentication with pam for radius server

Nick Owen nowen at wikidsystems.com
Thu Mar 20 02:03:15 UTC 2014


I'm not familiar with the yubikey libraries (as I work for a
competitor ;-), but why use them at all?  Don't you want to use
radius?  I'm fairly certain that yubikey supports it.

here's a tutorial on adding 2FA to pam using radius:
http://www.wikidsystems.com/support/wikid-support-center/how-to/pam-radius-how-to
 or http://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-configure-pam-radius-in-ubuntu
for ubuntu.

And here is one on having freeradius in the middle to perform
authorization in ldap and then proxy the cred to another server for
authentication.  our example is a WiKID server, but radius is radius
and it works well anywhere.

HTH,

Nick
ᐧ

On Wed, Mar 19, 2014 at 7:52 PM, Robert Pearce <r.pearce at gns.cri.nz> wrote:
> I'm really struggling to come up with a working /etc/pam.d/radius file
> which will work against yubikeys and ldap. This is for freeradius, which
> is configured solely to use pam for its authentication.
>
> I *thought* it should be nothing more than this:
>
> #%PAM-1.0
> auth requisite pam_yubico.so id=1 authfile=/etc/sysconfig/yubikey
> auth requisite pam_ldap.so use_first_pass config=/etc/pam_ldap.conf-radius
>
> i.e: check the yubi password, and then check the rest of the password
> against the ldap user. But it seems its more complicated as this does
> not work for me. I can see from the debugging output that it's trying
> the right parts of the password given against the right modules however.
> For now i'm not worrying about expired accounts or such (do i need an
> account requisite pam_permit.so maybe anyway ?)
>
> Been stuck on this for a good while now, unfortunately.
>
>
> Notice: This email and any attachments are confidential.
> If received in error please destroy and immediately notify us.
> Do not copy or disclose the contents.
>
> _______________________________________________
> Pam-list mailing list
> Pam-list at redhat.com
> https://www.redhat.com/mailman/listinfo/pam-list



-- 
Nick Owen
WiKID Systems, Inc.
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication
http://twitter.com/wikidsystems | #wikid on freenode,net




More information about the Pam-list mailing list