Connect Yubikey ,then initialize YubiKey slot 2:
ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible ... Commit? (y/n) [n]: y
Create /var/yubico directory for challenge file.
sudo mkdir /var/yubico sudo chown root.root /var/yubico sudo chmod 700 /var/yubico ykpamcfg -2 -v ... Stored initial challenge and expected response in '$HOME/.yubico/challenge-123456'. sudo mv ~/.yubico/challenge-123456 /var/yubico/xiaoxiaoleo-123456 sudo chown root.root /var/yubico/xiaoxiaoleo-123456
sudo chmod 600 /var/yubico/xiaoxiaoleo-123456
TIPs: xiaoxiaoleo is the login user name.
add pam config before the first line /etc/pam.d/login:
auth required pam_yubico.so mode=challenge-response chalresp_path=/var/yubico
Add debug arg for debug infomation:
auth required pam_yubico.so mode=challenge-response debug chalresp_path=/var/yubico
Create yubico pam debug log file:
touch /var/run/pam-debug.log chmod go+w /var/run/pam-debug.log
SELinux ERROR:
[pam_yubico.c:do_challenge_response(614)] Cannot open file: /var/yubico/test-5212345(No such file or directory )
Error communicating with Yubikey,please check syslog or contact your system administrator
[pam_yubikco.c:display_error(425)] conv returned:'(null)'
[pam_yubico.c:do_challenge_response(673)] Challenge Response failed: No such file or directory
Create SELinux policy :
grep avc /var/log/audit/audit.log | audit2allow -M yubikey
module yubikey 1.0;
define(`r_file_perms', `{ getattr open read ioctl lock }')
require {
type var_t;
type local_login_t;
}
allow local_login_t var_t:file r_file_perms
Compile and install SELinux policy:
checkmodule -M -m -o yubikey.mod yubikey.te semodule_package -o yubikey.pp -m yubikey.mod semodule -i yubikey.pp