yubico-pam: initial commit

yubico-pam/.footprint

@@ -0,0 +1,13 @@
+drwxr-xr-x	root/root	lib/
+drwxr-xr-x	root/root	lib/security/
+-rwxr-xr-x	root/root	lib/security/pam_yubico.la
+-rwxr-xr-x	root/root	lib/security/pam_yubico.so
+drwxr-xr-x	root/root	usr/
+drwxr-xr-x	root/root	usr/bin/
+-rwxr-xr-x	root/root	usr/bin/ykpamcfg
+drwxr-xr-x	root/root	usr/share/
+drwxr-xr-x	root/root	usr/share/man/
+drwxr-xr-x	root/root	usr/share/man/man1/
+-rw-r--r--	root/root	usr/share/man/man1/ykpamcfg.1.gz
+drwxr-xr-x	root/root	usr/share/man/man8/
+-rw-r--r--	root/root	usr/share/man/man8/pam_yubico.8.gz

yubico-pam/.signature

@@ -0,0 +1,5 @@
+untrusted comment: verify with /etc/ports/contrib.pub
+RWSagIOpLGJF38UO2fItiO895npoiUuU4L8UuimAuQoOJaTpxr3cYLJrMHZ9wOd9rZeH8NnmKsE4dHI5PGtRfrnYKrldfgRAzQI=
+SHA256 (Pkgfile) = b65a389015a8a6d7fdd3ee3b654e39213ea76ab49cf195415475e0bffe8de218
+SHA256 (.footprint) = c70062ef917bcc3bffeee3bcf9c3be84bbce30b133c599193a662c5eb6697cf6
+SHA256 (yubico-pam-2.26.tar.gz) = 5178fc083d12c9b26412adc80dab5d7ef463a689ef2e0143cb6f117732705dc7

yubico-pam/Pkgfile

@@ -0,0 +1,20 @@
+# Description: Yubico Pluggable Authentication Module (PAM)
+# URL: https://github.com/Yubico/yubico-pam
+# Maintainer: Tim Biermann, tbier at posteo dot de
+# Depends on: linux-pam json-c openldap yubikey-personalization
+
+name=yubico-pam
+version=2.26
+release=2
+source=(https://github.com/Yubico/yubico-pam/archive/$version/$name-$version.tar.gz)
+
+build() {
+  cd $name-$version
+  autoreconf -fi
+  ./configure --prefix=/usr \
+    --with-pam-dir=/lib/security \
+    --enable-coverage=no \
+    --disable-static
+  make
+  make DESTDIR=$PKG install
+}

yubico-pam/README

@@ -0,0 +1,26 @@
+Authenticating with HMAC-SHA1 Challenge-Response through linux-pam
+
+You need a pam aware userland (e.g. shadow for login, sudo, sshd, ..) and
+yubikey-personalization to succeed.
+We will write our key to the second slot, as the first slot comes with a
+higher secure level key which shouldn't be overwritten.
+
+Then proceed as follows:
+
+CHANGE {$USER} to your username!
+
+$ ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible
+$ sudo mkdir /var/yubico
+$ sudo chown root:root /var/yubico
+$ sudo chmod 700 /var/yubico
+$ ykpamcfg -2 -v
+$ sudo mv ~/.yubico/challenge-123456 /var/yubico/{$USER}-123456
+$ sudo chown root:root /var/yubico/*
+$ sudo chmod 600 /var/yubico/*
+
+then, edit your relative pam files to contain this as the first auth paragraph:
+auth        sufficient    pam_yubico.so mode=challenge-response
+chalresp_path=/var/yubico
+
+This way ('sufficient'), you can still authenticate with your normal password, in case you
+brake your yubikey or you foobar'd.