Well the first beta of the next version of YubiPAM has finally come to fruition. It’s still in beta and will retain that moniker until I’m happy that it’s at least as stable as 1.0.4.

All round there has been a large number of bug fixes including seek issues when deleting users and an incomplete key used for encrypting ticket information.

The primary feature to be added has to be the inclusion of two factor authentication. It breaks the purpose of PAM by incorporating two mechanism in a single module but I think it’s worth it and it is in fact the most requested feature. So why not?

Download it, use it, abuse it and help make it better.

The YubiKing Award is to encourage innovation, creativity and entrepreneurship within the YubiKey developer’s community.   So, if you’ve checked out our YubiPAM module and you liked what you saw. Then please login to the Yubico Wiki with your awesome little Yubikey and cast your vote for our YubiPAM module and any other projects that you deem worthy.  But hurry as voting closes Friday 13th March.

With the significant additions and changes to YubiPAM recently, some things were broken on Debian Etch systems. This update fixes an issue where pam_syslog() is not uniformly available over all systems. I personally blame my relatively newb status on the automake toolset. We appreciate all the feedback to keep this project evolving.

Head to the project page for the new version.

It’s encouraging to know that our YubiPAM authentication module is getting some air time for people. Even better is the positive feedback we get from those using it.

We recently received a patch from Geoff Hoff that extended its functionality across all services. It now follows the model of the pam_unix module allowing lesser privileged services such as gnome-screensaver to authenticate with the database.

As a result of this there are a few additional steps that must be carried out to get the install working, including setting up an additional “yubiauth” group, set some permissions for the helper binary and the Yubikey database so make sure you at least skim over the INSTALL file.

In addition the default configuration will no longer echo in the clear and requires you setting the “verbose_otp” flag to enabling echoing of the OTP. You wouldn’t think it adds a lot of additional security considering a One Time Pad is only used … well … once. However, it does align with the better of security practices.

I’ll keep using the “verbose_otp” flag

In the next few weeks I’ll be posting some screencasts of installing and configuring the YubiPAM module for:

1. logging onto and locking a workstation, and
2. SSH

So stay tuned…

Some investigative work by Brian Gorka, and his mega multi-factor implementation, prompted this little release which now ensures YubiPAM stacks well with other modules in a PAM stack.

Additionally the documentation has been cleaned and refined to better get you started and provide some better guidance on configuring for troubleshooting. As YubiPAM continues to mature it is very important that everyone can assist us with ironing out the wrinkles.

This update will not affect existing database setups so feel free to use and abuse with reduced hassle.

Head to the project page.

A small update to the YubiPAM project has improved the adminstration of adding users to the database. Due to a little ambiguity, perhaps a little too much reliance on individuals technical expertise of this relatively new technology and I’m sure a significant amound of developer assumption a few helpers have been added to the “ykpasswd” utility.

Now all you can add a user with simply a valid Yubikey OTP and corresponding AES key for description, by using:

# ykpasswd -a -u USER -k AESKEY -o OTP

Where USER is a valid account user name, AESKEY is that provided by Yubico in standard hex or modhex format and the OTP is a Yubikey generated OTP.

Head to the project page.

YubiPAM is a module for PAM that provides support for One Time Passwords (OTP) authentication. It supports the OTPs generated from a Yubikey authentication token. YubiPAM aims to be a simple, easy to configure, module for the Yubikey.

It is based upon an offline (ie. no Yubico API) solution that supports multi-user systems. Obviously it requires that you know the AES of your Yubikey. However, future releases will support syncronising the database with your Yubikey in a more streamlined fashion, and thus not necessarily knowing the AES of your Yubikey.

The current features are:

1. Manual add/delete from database. Using the ykpasswd tool you can add delete yubikey entries from the database (default: /etc/yubikey).
2. Per user accounting. Supports indiviudal user account authorisation. This is currently limited to one Yubikey dongle per user account.
3. Single factor sign in. Currently only single factor (ie. Yubikey OTP) is currently supported. There will be an additional second factor password option added in the near future.
4. Static heuristic support. Heuristic support for OTP data deltas is hard coded. This will be changable in the next release.

By all means use and abuse, with any feature requests or flames being directed to dev [at] securixlive [dot] com. We would love to hear any feedback.

Head to the project page.