Connect Yubikey  ,then initialize YubiKey slot 2:

ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible
...
Commit? (y/n) [n]: y

Create /var/yubico directory for challenge file.

sudo mkdir /var/yubico

sudo chown root.root /var/yubico
sudo chmod 700 /var/yubico
ykpamcfg -2 -v
...
Stored initial challenge and expected response in '$HOME/.yubico/challenge-123456'.
sudo mv ~/.yubico/challenge-123456 /var/yubico/xiaoxiaoleo-123456
sudo chown root.root /var/yubico/xiaoxiaoleo-123456
sudo chmod 600 /var/yubico/xiaoxiaoleo-123456

TIPs: xiaoxiaoleo is the login user name.

add pam config before the first line /etc/pam.d/login:

auth   required        pam_yubico.so mode=challenge-response chalresp_path=/var/yubico

Add debug arg for debug infomation:

auth   required        pam_yubico.so mode=challenge-response debug chalresp_path=/var/yubico

Create yubico pam debug log file:

touch /var/run/pam-debug.log
chmod go+w /var/run/pam-debug.log

SELinux ERROR:

[pam_yubico.c:do_challenge_response(614)] Cannot open file: /var/yubico/test-5212345(No such file or   directory )

Error communicating with Yubikey,please check syslog or contact your system administrator

[pam_yubikco.c:display_error(425)] conv returned:'(null)'

[pam_yubico.c:do_challenge_response(673)] Challenge Response failed: No such file or directory

Create SELinux policy :

grep avc /var/log/audit/audit.log | audit2allow -M yubikey
module yubikey 1.0;

define(`r_file_perms', `{ getattr open read ioctl lock }')

require {

    type var_t;

    type local_login_t;

}

allow local_login_t var_t:file r_file_perms

Compile and install SELinux policy:

 checkmodule -M -m -o yubikey.mod yubikey.te
semodule_package -o yubikey.pp -m yubikey.mod
semodule -i yubikey.pp

Local Authentication Using Challenge Response with Yubikey for CentOS 7的更多相关文章

  1. Challenge–response authentication 挑战(询问)应答机制

    In computer security, challenge–response authentication is a family of protocols in which one party ...

  2. HMAC在“挑战/响应”(Challenge/Response)身份认证的应用

    HMAC的一个典型应用是用在"挑战/响应"(Challenge/Response)身份认证中. 认证流程 (1) 先由客户端向服务器发出一个验证请求. (2) 服务器接到此请求后生 ...

  3. samba常用命令

    1.# smbstatusSamba version 3.6.23PID Username Group Machine ---------------------------------------- ...

  4. [转]The NTLM Authentication Protocol and Security Support Provider

    本文转自:http://davenport.sourceforge.net/ntlm.html#ntlmHttpAuthentication The NTLM Authentication Proto ...

  5. sip user Authentication and 401

    https://www.vocal.com/sip-2/sip-user-authentication/ https://tools.ietf.org/html/rfc3261 SIP User Au ...

  6. Samba set of user authentication and file access rights

    This series is compatible with Linux certification exam LPIC. A typical Linux user-level topics omit ...

  7. Central Authentication Service

    国内私募机构九鼎控股打造APP,来就送 20元现金领取地址:http://jdb.jiudingcapital.com/phone.html内部邀请码:C8E245J (不写邀请码,没有现金送)国内私 ...

  8. 爬虫框架Scrapy之Request/Response

    Request yield scrapy.Request(url, self.parse) Request 源码: # 部分代码 class Request(object_ref): def __in ...

  9. Scrapy爬虫入门Request和Response(请求和响应)

    开发环境:Python 3.6.0 版本 (当前最新)Scrapy 1.3.2 版本 (当前最新) 请求和响应 Scrapy的Request和Response对象用于爬网网站. 通常,Request对 ...

随机推荐

  1. es6严格模式需要注意的地方

    1.块级函数 "use strict"; if (true) { function f() { } // 语法错误 } es5中严格模式下禁止声明块级函数,而在es6的严格模式中可 ...

  2. Percona-Tookit工具包之pt-find

      Preface       We used to use "find" command in linux or AIX when we need to get a certai ...

  3. jackson 处理空值

    @JsonInclude(value=Include.NON_NULL) public class ResultBean 这样在返回数据的时候, { "code": "s ...

  4. JAVA集合面面观

    List的常用实现:vector,ArrayList,linkedList. 总体关系如下(java8): vector和arraylist 两者底层都是采用数组的形式.但是有些许不同 // Arra ...

  5. 12-Mysql数据库----多表查询

    本节重点: 多表连接查询 符合条件连接查询 子查询 准备工作:准备两张表,部门表(department).员工表(employee) create table department( id int, ...

  6. f3d源码解读

    Fomo3D 源码解析, 部署指南 https://www.meiwen.com.cn/subject/efntbftx.html 原文链接 Fomo3D 合约源码分析 准备工作 环境准备 (用于调试 ...

  7. vim字符编码

    今天我在用vim新建中文文件的时候遇到保存好出现乱码的问题,经过一波百度, :set encoding=utf-8 :set fileencodings=ucs-bom,utf-8,cp936 :se ...

  8. Vue.js---组件

    详情点此连接(转载) 组件的创建和注册 vue.js的组件的使用有3个步骤:创建组件构造器.注册组件和使用组件. 1. 调用Vue.extend()方法创建组件构造器. 2. 调用Vue.compon ...

  9. linux下生成core dump文件方法

    core 文件的简单介绍 当程序运行的过程中异常终止或崩溃,操作系统会将程序当时的内存状态记录下来,保存在一个文件中,这种行为就叫做Core Dump(中文有的翻译成“核心转储”).我们可以认为 co ...

  10. Flink History Job

    history job的写入1. org.apache.flink.runtime.jobmanager,Object JobManagerrunJobManager中指定使用MemoryArchiv ...