Yubico on Solaris 10

I'm back configuring Yubikeys but this time on Solaris 10 as it is what the majority of our servers run.

Here are are the steps required to get it working on Solaris 10 update 6:

  1. Install curl
    pkgadd SFWcurl
  2. Configure libyubico-client
    configure CPPFLAGS=-I/opt/sfw/include CFLAGS-std=c99 --prefix=/usr
  3. Compile and install
    gmake install
  4. Configure pam_yubico
    configure --prefix=/usr --without-ldap
  5. Compile and install
    gmake install
  6. Setup a user to key mapping file (e.g. /etc/yubikeys)
    martin:ulbtvceblvrb
  7. Configure /etc/pam.conf
    other   auth requisite          pam_authtok_get.so.1
    other   auth required           pam_unix_cred.so.1
    other   auth required           pam_unix_auth.so.1
    other   auth required           pam_yubico.so id=16 authfile=/etc/yubikeys ignorepass

Then a ssh login will look like this:

martin@workstation$ ssh server
Password: 
Yubikey for `martin': 
martin@server$ 

You might have noticed the ignorepass option which I have added, this is to prevent pam_yubico from trying to (re)use the password I typed, nd instead force pam_yubico to prompt me for it. I have sent Simon the diff so he can add it to the next release.

Comments:

Thanks for the writeup!

Pam_yubico 1.14 has been released, and with it there is no need to patch it or specify the "ignorepass" keyword -- it works the way you want it to work by default.

Posted by Simon Josefsson on March 24, 2009 at 05:57 PM PDT #

Post a Comment:
Comments are closed for this entry.
About

martin

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today