- Connect Yubikey ,theninitialize YubiKeyslot 2:
Connect Yubikey ,theninitialize YubiKeyslot 2:
3ykpersonalize-2-ochal-resp-ochal-hmac-ohmac-lt64-oserial-api-visible
...
Commit? (y/n) [n]: y
Create /var/yubico directory for challenge file.
9sudo mkdir/var/yubico
sudo chown root.root/var/yubico
sudo chmod700/var/yubico
ykpamcfg-2-v
...
Stored initial challengeandexpected responsein'$HOME/.yubico/challenge-123456'.
sudo mv ~/.yubico/challenge-123456/var/yubico/xiaoxiaoleo-123456
sudo chown root.root/var/yubico/xiaoxiaoleo-123456
sudo chmod600/var/yubico/xiaoxiaoleo-123456
TIPs: xiaoxiaoleo is the login user name.
add pam config before the first line /etc/pam.d/login:
auth required pam_yubico.so mode=challenge-response chalresp_path=/var/yubico
Add debug arg for debug infomation:
auth required pam_yubico.so mode=challenge-response debug chalresp_path=/var/yubico
Create yubico pam debug log file:
2touch/var/run/pam-debug.log
chmod go+w/var/run/pam-debug.log
SELinux ERROR:
[pam_yubico.c:do_challenge_response(614)] Cannot open file: /var/yubico/test-5212345(No such file or directory )
Error communicating with Yubikey,please check syslog or contact your system administrator
[pam_yubikco.c:display_error(425)] conv returned:'(null)'
[pam_yubico.c:do_challenge_response(673)] Challenge Response failed: No such file or directory
Create SELinux policy :
grep avc/var/log/audit/audit.log | audit2allow-M yubikey
13module yubikey1.0;
define(`r_file_perms', `{ getattr open read ioctl lock }')
require {
typevar_t;
typelocal_login_t;
}
allow local_login_t var_t:filer_file_perms
Compile and install SELinux policy:
3checkmodule-M-m-o yubikey.mod yubikey.te
semodule_package-o yubikey.pp-m yubikey.mod
semodule-i yubikey.pp
网友评论