Quick Navigator

Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Contact Us
Online Help
Domain Status
Man Pages

Virtual Servers

Topology Map

Server Agreement
Year 2038

USA Flag



Man Pages
YKPAMCFG(1) Yubico PAM Module Manual YKPAMCFG(1)

ykpamcfg - Manage user settings for the Yubico PAM module

ykmapcfg [-1 | -2] [-A] [-p] [-i] [-v] [-V] [-h]

use slot 1. This is the default.
use slot 2.
-A action
choose action to perform. See ACTIONS below.
-p path
specify output file, default is ~/.yubico/challenge
-i iterations
number of iterations to use for pbkdf2 of expected response
enable verbose mode.
display version and exit
display help and exit

The PAM module can utilize the HMAC-SHA1 Challenge-Response mode found in YubiKeys starting with version 2.2 for offline authentication. This action creates the initial state information with the C/R to be issued at the next logon.
The utility currently outputs the state information to a file in the current user’s home directory ( ~/.yubico/challenge-123456 for a YubiKey with serial number API readout enabled, and ~/.yubico/challenge for one without).
The PAM module supports a system wide directory for these state files (in case the user’s home directories are encrypted), but in a system wide directory, the challenge part should be replaced with the username. Example : /var/yubico/challenges/alice-123456.
To use the system-wide mode, you currently have to move the generated state files manually and configure the PAM module accordingly.

First, program a YubiKey for challenge response on Slot 2 :
$ ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible
Commit? (y/n) [n]: y
Now, set the current user to require this YubiKey for logon :
$ ykpamcfg -2 -v
Stored initial challenge and expected response in '/home/alice/.yubico/challenge-123456'.
Then, configure authentication with PAM for example like this ( make a backup first) :
/etc/pam.d/common-auth (from Ubuntu 10.10) :
auth  required nullok_secure try_first_pass
auth  [success=1 new_authtok_reqd=ok ignore=ignore default=die] mode=challenge-response
auth  requisite
auth  required
auth  optional unwrap

Report ykpamcfg bugs in the issue tracker:

The yubico-pam home page:
YubiKeys can be obtained from Yubico:
Version 2.25 yubico-pam

Search for    or go to Top of page |  Section 1 |  Main Index

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with ManDoc.