From 430ca4375f31b47c001f2deb96c17f0f851eaa3b Mon Sep 17 00:00:00 2001 From: TimB87 Date: Tue, 11 Jun 2019 23:45:50 +0200 Subject: [PATCH] yubico-pam: initial commit --- yubico-pam/.footprint | 13 +++++++++++++ yubico-pam/.signature | 5 +++++ yubico-pam/Pkgfile | 20 ++++++++++++++++++++ yubico-pam/README | 26 ++++++++++++++++++++++++++ 4 files changed, 64 insertions(+) create mode 100644 yubico-pam/.footprint create mode 100644 yubico-pam/.signature create mode 100644 yubico-pam/Pkgfile create mode 100644 yubico-pam/README diff --git a/yubico-pam/.footprint b/yubico-pam/.footprint new file mode 100644 index 000000000..8aaf54e1f --- /dev/null +++ b/yubico-pam/.footprint @@ -0,0 +1,13 @@ +drwxr-xr-x root/root lib/ +drwxr-xr-x root/root lib/security/ +-rwxr-xr-x root/root lib/security/pam_yubico.la +-rwxr-xr-x root/root lib/security/pam_yubico.so +drwxr-xr-x root/root usr/ +drwxr-xr-x root/root usr/bin/ +-rwxr-xr-x root/root usr/bin/ykpamcfg +drwxr-xr-x root/root usr/share/ +drwxr-xr-x root/root usr/share/man/ +drwxr-xr-x root/root usr/share/man/man1/ +-rw-r--r-- root/root usr/share/man/man1/ykpamcfg.1.gz +drwxr-xr-x root/root usr/share/man/man8/ +-rw-r--r-- root/root usr/share/man/man8/pam_yubico.8.gz diff --git a/yubico-pam/.signature b/yubico-pam/.signature new file mode 100644 index 000000000..a48b7800f --- /dev/null +++ b/yubico-pam/.signature @@ -0,0 +1,5 @@ +untrusted comment: verify with /etc/ports/contrib.pub +RWSagIOpLGJF38UO2fItiO895npoiUuU4L8UuimAuQoOJaTpxr3cYLJrMHZ9wOd9rZeH8NnmKsE4dHI5PGtRfrnYKrldfgRAzQI= +SHA256 (Pkgfile) = b65a389015a8a6d7fdd3ee3b654e39213ea76ab49cf195415475e0bffe8de218 +SHA256 (.footprint) = c70062ef917bcc3bffeee3bcf9c3be84bbce30b133c599193a662c5eb6697cf6 +SHA256 (yubico-pam-2.26.tar.gz) = 5178fc083d12c9b26412adc80dab5d7ef463a689ef2e0143cb6f117732705dc7 diff --git a/yubico-pam/Pkgfile b/yubico-pam/Pkgfile new file mode 100644 index 000000000..402e120a9 --- /dev/null +++ b/yubico-pam/Pkgfile @@ -0,0 +1,20 @@ +# Description: Yubico Pluggable Authentication Module (PAM) +# URL: https://github.com/Yubico/yubico-pam +# Maintainer: Tim Biermann, tbier at posteo dot de +# Depends on: linux-pam json-c openldap yubikey-personalization + +name=yubico-pam +version=2.26 +release=2 +source=(https://github.com/Yubico/yubico-pam/archive/$version/$name-$version.tar.gz) + +build() { + cd $name-$version + autoreconf -fi + ./configure --prefix=/usr \ + --with-pam-dir=/lib/security \ + --enable-coverage=no \ + --disable-static + make + make DESTDIR=$PKG install +} diff --git a/yubico-pam/README b/yubico-pam/README new file mode 100644 index 000000000..f0d223213 --- /dev/null +++ b/yubico-pam/README @@ -0,0 +1,26 @@ +Authenticating with HMAC-SHA1 Challenge-Response through linux-pam + +You need a pam aware userland (e.g. shadow for login, sudo, sshd, ..) and +yubikey-personalization to succeed. +We will write our key to the second slot, as the first slot comes with a +higher secure level key which shouldn't be overwritten. + +Then proceed as follows: + +CHANGE {$USER} to your username! + +$ ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible +$ sudo mkdir /var/yubico +$ sudo chown root:root /var/yubico +$ sudo chmod 700 /var/yubico +$ ykpamcfg -2 -v +$ sudo mv ~/.yubico/challenge-123456 /var/yubico/{$USER}-123456 +$ sudo chown root:root /var/yubico/* +$ sudo chmod 600 /var/yubico/* + +then, edit your relative pam files to contain this as the first auth paragraph: +auth sufficient pam_yubico.so mode=challenge-response +chalresp_path=/var/yubico + +This way ('sufficient'), you can still authenticate with your normal password, in case you +brake your yubikey or you foobar'd.