NAME¶

SYNOPSIS¶

OPTIONS¶

-1

use slot 1. This is the default.

-2

use slot 2.

-A action

choose action to perform. See ACTIONS below.

-v

enable verbose mode.

 

ACTIONS¶

add_hmac_chalresp

The PAM module can utilize the HMAC-SHA1 Challenge-Response mode found in YubiKeys starting with version 2.2 for offline authentication. This action creates the initial state information with the C/R to be issued at the next logon.

 

The utility currently outputs the state information to a file in the current user's home directory ( ~/.yubico/challenge-123456 for a YubiKey with serial number API readout enabled, and ~/.yubico/challenge for one without).

 

The PAM module supports a system wide directory for these state files (in case the user's home directories are encrypted), but in a system wide directory, the 'challenge' part should be replaced with the username. Example : /var/yubico/challenges/alice-123456.

 

To use the system-wide mode, you currently have to move the generated state files manually and configure the PAM module accordingly.

 

EXAMPLE¶

$  ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible
 ...
Commit? (y/n) [n]: y
$

$  ykpamcfg -2 -v
 ...
Stored initial challenge and expected response in '/home/alice/.yubico/challenge-123456'.
$

auth	required	pam_unix.so nullok_secure try_first_pass
auth	[success=1 new_authtok_reqd=ok ignore=ignore default=die]	pam_yubico.so mode=challenge-response
auth	requisite	pam_deny.so
auth	required	pam_permit.so
auth	optional	pam_ecryptfs.so unwrap

BUGS¶

SEE ALSO¶