zoukankan      html  css  js  c++  java
  • Local Authentication Using Challenge Response with Yubikey for CentOS 7

    Connect Yubikey  ,then initialize YubiKey slot 2:

    ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible
    ...
    Commit? (y/n) [n]: y

    Create /var/yubico directory for challenge file.

    sudo mkdir /var/yubico
    
    sudo chown root.root /var/yubico
    sudo chmod 700 /var/yubico
    ykpamcfg -2 -v
    ...
    Stored initial challenge and expected response in '$HOME/.yubico/challenge-123456'.
    sudo mv ~/.yubico/challenge-123456 /var/yubico/xiaoxiaoleo-123456
    sudo chown root.root /var/yubico/xiaoxiaoleo-123456 
    sudo chmod 600 /var/yubico/xiaoxiaoleo-123456

    TIPs: xiaoxiaoleo is the login user name.

    add pam config before the first line /etc/pam.d/login:

    auth   required        pam_yubico.so mode=challenge-response chalresp_path=/var/yubico
    

    Add debug arg for debug infomation:

    auth   required        pam_yubico.so mode=challenge-response debug chalresp_path=/var/yubico

    Create yubico pam debug log file:

    touch /var/run/pam-debug.log
    chmod go+w /var/run/pam-debug.log

    SELinux ERROR:

    [pam_yubico.c:do_challenge_response(614)] Cannot open file: /var/yubico/test-5212345(No such file or   directory )

    Error communicating with Yubikey,please check syslog or contact your system administrator

    [pam_yubikco.c:display_error(425)] conv returned:'(null)'

    [pam_yubico.c:do_challenge_response(673)] Challenge Response failed: No such file or directory

    Create SELinux policy :

    grep avc /var/log/audit/audit.log | audit2allow -M yubikey
    module yubikey 1.0;
    
    define(`r_file_perms', `{ getattr open read ioctl lock }')
    
    require {
    
        type var_t;
    
        type local_login_t;
    
    }
    
    allow local_login_t var_t:file r_file_perms
    
     

    Compile and install SELinux policy:

     checkmodule -M -m -o yubikey.mod yubikey.te
     semodule_package -o yubikey.pp -m yubikey.mod
     semodule -i yubikey.pp
    

  • 相关阅读:
    关于自带的sql developer修改java.exe版本的解决办法
    过滤器-用动态代理解决全站乱码
    myeclipse 文件注释部分乱码问题
    xml&dom_sax&dom4j的常见操作
    JSTL报错Unable to read TLD "META-INF/c.tld" from JAR file "file.............................
    机器学习--模型分类--贝叶斯
    机器学习中---分类模型--决策树模型
    分类模型的评估
    导数
    贝叶斯--- 高斯贝叶斯//多项式贝叶斯//伯努利贝叶斯
  • 原文地址:https://www.cnblogs.com/xiaoxiaoleo/p/6806525.html
Copyright © 2011-2022 走看看