I'm back configuring Yubikeys but this time on Solaris 10 as it is what the majority of our servers run.
Here are are the steps required to get it working on Solaris 10 update 6:
- Install curl
pkgadd SFWcurl - Configure libyubico-client
configure CPPFLAGS=-I/opt/sfw/include CFLAGS-std=c99 --prefix=/usr - Compile and install
gmake install - Configure pam_yubico
configure --prefix=/usr --without-ldap - Compile and install
gmake install - Setup a user to key mapping file (e.g.
/etc/yubikeys)
martin:ulbtvceblvrb
- Configure
/etc/pam.conf
other auth requisite pam_authtok_get.so.1 other auth required pam_unix_cred.so.1 other auth required pam_unix_auth.so.1 other auth required pam_yubico.so id=16 authfile=/etc/yubikeys ignorepass
Then a ssh login will look like this:
martin@workstation$ ssh server Password: Yubikey for `martin': martin@server$
You might have noticed the ignorepass option which I have added,
this is to prevent pam_yubico from trying to (re)use the password I typed,
nd instead force pam_yubico to prompt me for it.
I have sent
Simon
the diff so he can add it to the next release.
Thanks for the writeup!
Pam_yubico 1.14 has been released, and with it there is no need to patch it or specify the "ignorepass" keyword -- it works the way you want it to work by default.
Posted by Simon Josefsson on March 25, 2009 at 12:57 AM PDT #