Re: PAM module for RHEL6
Simon Josefsson
> Hi Simon,
>
> I've bought a pack of 10 of these keys and am looking to use them with
> the PAM module. I've got it working fine on my RHEL5 boxes, but am
> unable to get it to work on RHEL6 - whether I checkout both the C
> library and pam module from git and build it locally, rebuild the RPMs
> that work on RHEL5 or force a RHEL5 RPM to install.
>
> I note that you are the poor sod with a email at the bottom of the
> README; do you have any suggestions?
Hi. We should probably change that to this list instead. :-)
Exactly what error message do you get? I don't recall any RHEL6 users,
but there certainly are Fedora/CentOS users out there. Which software
versions are you using? Is it a 64-bit system?
/Simon
Simon Josefsson
> Hi Simon,
>
> Thank you for your quick reply. I've done some more digging and
> discovered that the problem has to do with PAM and SSH - and a change
> RedHat have made. Previously, system-auth and system-auth-ac were
> symlinked, but now there is a file password-auth which is on first
> glance an exact copy of system-auth, but is not a link. I think the
> same thing happens on Fedora 14.
>
> Adding the yubikey line to this file fixed that problem; it may be
> worth adding this to the docs as more and more users adopt RHEL6.
Great!
The documentation (at least README) carefully avoids the problems of
pointining to a particular /etc/pam.d file because each OS uses their
own naming scheme. Thus today it just says:
Install it in your PAM setup by adding a line to an appropriate file
in /etc/pam.d/:
However maybe you got the wrong filename from some other documentation?
Do you recall which one?
> With the standard setting (both yubikey and unix sufficient), a user
> can authenticate either using their password or yubikey. If the
> intention was to require both (in the form [PIN/Password][YUBI OTP] is
> that possible with this PAM module?
Yes -- on success yubico-pam removes the OTP from the PAM_AUTHTOK value,
so that only contains the password you entered. You can use any other
PAM module to verify this password, as long as you put it after the
yubico-pam module.
Hope this helps,
/Simon
> Cheers,
>
> Alex
>
>
> 64 bit systems, using RHEL6 beta.
>
> For the purpose of testing I have build a fresh and clean RHEL6 beta.
>
> Doing test #1, installing EPEL and then ykclient and then pam_yubico results in
>
> Whatever happens it seems that the PAM module is just not loaded - I
> don't get anything in the debug file in /var/run/ as I do on login
> attempt.
>
> Cheers,
>
> Alex