On 20/03/14 15:03, Nick Owen wrote: > I'm not familiar with the yubikey libraries (as I work for a > competitor ;-), but why use them at all? Don't you want to use > radius? I'm fairly certain that yubikey supports it. > > here's a tutorial on adding 2FA to pam using radius: > http://www.wikidsystems.com/support/wikid-support-center/how-to/pam-radius-how-to > or http://www.wikidsystems.com/support/wikid-support-center/how-to/how-to-configure-pam-radius-in-ubuntu > for ubuntu. > > And here is one on having freeradius in the middle to perform > authorization in ldap and then proxy the cred to another server for > authentication. our example is a WiKID server, but radius is radius > and it works well anywhere. > > HTH, I think i may have explained badly. I'm not trying to make pam use radius, i'm making radius use pam. I'm setting up a radius server which cisco gear can utilise for their vpn servers. I've backed radius against PAM, and pam is using yubikey and ldap password as the two factors. I've actually got this working now, with a pam file the looks like: #%PAM-1.0 auth required pam_yubico.so id=1 authfile=/etc/sysconfig/yubikey auth required pam_ldap.so use_first_pass config=/etc/pam_ldap.conf-radius auth optional pam_deny.so account required pam_ldap.so use_first_pass config=/etc/pam_ldap.conf-radius account optional pam_deny.so This seems to work but it requires the user's password and the yubikey token be concatenated together as one single response, and I'd prefer a two step challenge and response process if possible. Do you know what i might need to alter to make this so ? Notice: This email and any attachments are confidential. If received in error please destroy and immediately notify us. Do not copy or disclose the contents. _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list