aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStuart Shelton <stuart@shelton.me>2016-02-09 23:51:03 +0000
committerStuart Shelton <stuart@shelton.me>2016-02-09 23:51:03 +0000
commit7a9ddf7e5cd1e459b2d5895802b2171136955f90 (patch)
tree25f9785197c98f61472f98ee9682967aeecb9366
parentAdd www-servers/3dm2-10.2.2.1, update README.md (diff)
downloadsrcshelton-7a9ddf7e5cd1e459b2d5895802b2171136955f90.tar.gz
srcshelton-7a9ddf7e5cd1e459b2d5895802b2171136955f90.tar.bz2
srcshelton-7a9ddf7e5cd1e459b2d5895802b2171136955f90.zip
Add sys-auth/yubipam-1.1_beta1, sys-auth/yubipam-9999, update README.md
-rw-r--r--README.md2
-rw-r--r--sys-auth/yubipam/Manifest5
-rw-r--r--sys-auth/yubipam/files/yubipam-1.1_beta1-concat-twofactor.patch96
-rw-r--r--sys-auth/yubipam/files/yubipam-1.1_beta1-resource.h.patch20
-rw-r--r--sys-auth/yubipam/yubipam-1.1_beta1.ebuild65
-rw-r--r--sys-auth/yubipam/yubipam-9999.ebuild72
6 files changed, 260 insertions, 0 deletions
diff --git a/README.md b/README.md
index cc8f3af3..b216aefc 100644
--- a/README.md
+++ b/README.md
@@ -184,6 +184,8 @@ A similar configuration file could be added for all packages which fail to compi
* OPIE One-time password system
* sys-auth/pam_mobile_otp
* PAM component of mOTP
+* sys-auth/yubipam
+ * PAM authentication module for YubiKey hardware
* www-apps/heatmiser
* Data acquisition and web-interface for Heatmiser Wifi Thermostats
* www-apps/nabaztaglives
diff --git a/sys-auth/yubipam/Manifest b/sys-auth/yubipam/Manifest
new file mode 100644
index 00000000..67ae2e48
--- /dev/null
+++ b/sys-auth/yubipam/Manifest
@@ -0,0 +1,5 @@
+AUX yubipam-1.1_beta1-concat-twofactor.patch 3040 SHA256 bd461a2e827560e7fa69b08d772b12cb2c4bbf8676c1394fa3d9c0a3d7b90980 SHA512 a4f5cf8549820f90d2bad68446a5b01334173955e2f3e3628f62b8a2afe3c98e52cbfdbceb03a3d77ba1cc1ce8b66de77101d4e9d007a9955322d164171bb555 WHIRLPOOL f087b9afcc19259546666f7398f0e5db10e8de361402ca1cdc8a41fe607c01b675f85aee960f18b7f4166604a8f5a8c761a265a4e7148ed240948a88b795412c
+AUX yubipam-1.1_beta1-resource.h.patch 406 SHA256 c86ca9eea31bad29d2b70b4773b51cdc46e101483f4e45587e2108dfb8235fe3 SHA512 ed12a5207c99467f8f06a19d81a224e92a8a99b2bbdf194be93b79d3f2bb2cb8aa397bd09aa18526213337b592b580f312bbf6927b72c9c8c6cb6bfa9edc2d50 WHIRLPOOL c057a34e3dc777c44bd84838ff8f62e16216171b4cfd55f572b2b42cb124015bb91802458131639b450515af28f2849729a068f959b14add17efd79ec6afdf1d
+DIST YubiPAM-1.1-beta1.tar.gz 337000 SHA256 8f0d018599613268280802de0e7b66541cb2b2c00d6c45535263a81671c8f4bc SHA512 eed18192f766029f70f8bfc2a2366bcb167f035724091fd46786ca2c56a6f6feced4f3ba856bf7d376fcb4582af28ef09c68211b1a7abe3ff2f3186ec8405962 WHIRLPOOL 71e2a2844cd1fdfc58a8e37902ded3a5ebf7dae435a143bfcb0b24e712486387d1b0d58f57822515feccefa76247482c08fea2edd093d9bccfaee09f4bed2580
+EBUILD yubipam-1.1_beta1.ebuild 1475 SHA256 7a48324f85038af0b40b1f62d5114cbeb5195663a7596046e00dfdf03151e1a8 SHA512 d839a721ffcc4d09be85c54e4f5f044b12c6a088a398358325f0325c36e2658985918094106dffedbc0eeeac07d000400c79c9d18e84582b900f840331563d0c WHIRLPOOL fb317e6d859ecdd6f72697fc46c2bd7ac9f9cc47eef899051603af4afd4b3b3957c809b6f5dfe419f5c9056da61ee4091dec32f9eeced1e7d51db54a6d661501
+EBUILD yubipam-9999.ebuild 1696 SHA256 2dd76c7e75c4ca0f4818202abe1d5098f750f8979ded641341a94e7cd083fd0b SHA512 23a973aefe86a0958653ecf544337f3a649ed80d90e859644397e37e83053b52db8f3e4a6473222e2582beeb18533b4727f4985b53c7f627aa4e16b25e7de31f WHIRLPOOL a2b2d532c334308c752302087b281654c8576a243ab60fe49bee03e813407d8d5d7ac8e834a8f86312dc41d5fd1b396873c75502849f436c02d87e5da9c3c044
diff --git a/sys-auth/yubipam/files/yubipam-1.1_beta1-concat-twofactor.patch b/sys-auth/yubipam/files/yubipam-1.1_beta1-concat-twofactor.patch
new file mode 100644
index 00000000..04eeb21a
--- /dev/null
+++ b/sys-auth/yubipam/files/yubipam-1.1_beta1-concat-twofactor.patch
@@ -0,0 +1,96 @@
+Add concatenated two-factor authentication to YubiPAM. This allows a
+work-around for arguably broken PAM clients that only look for one password
+field.
+
+Regular two-factor authentication is achieved by adding the 'two_factor'
+parameter to the PAM module in the appropriate /etc/pam.d file. The "passcode"
+is then set for each user when enrolling by specifying -c to ykpasswd.
+
+i.e.
+ somewhere in pam.d:
+
+ auth sufficient pam_yubikey.so two_factor
+
+ then:
+ # ykpasswd -a -c -f ffeeddccbbaa -k afaa...
+
+ The -c tells ykpasswd to ask for a passcode.
+
+When logging in, the system will now ask for the OTP, followed by the
+"passcode".
+
+This patch extends the two-factor authentication to provide the concatenated
+two-factor feature. Where your PAM configuration specifies 'two_factor', change
+this to 'concat_two_factor'. Now, YubiPAM instead now asks for
+'Password+YubiKey OTP'. You enter them in this order separated by a single
+space. This method is compatible with single-password PAM clients such as KDM.
+
+--- YubiPAM-1.1-beta1/src/pam_yubikey.c.orig 2011-02-17 06:29:36.463262097 +1000
++++ YubiPAM-1.1-beta1/src/pam_yubikey.c 2011-02-17 07:29:55.017380877 +1000
+@@ -26,6 +26,7 @@
+ * the Linux-PAM project, specfically unik_chkpwd.c
+ * 2. This addition was intiated by Geoff Hoff
+ *
++* vim: set ts=4 sts=4
+ */
+
+ #ifdef HAVE_CONFIG_H
+@@ -100,6 +101,8 @@
+ verbose_otp = 1;
+ else if (strncmp(argv[i], "two_factor", 10) == 0)
+ two_factor = 1;
++ else if (strncmp(argv[i], "concat_two_factor", 17) == 0)
++ two_factor = 2;
+ }
+ D (("verbose=%d", verbose_otp));
+
+@@ -113,18 +116,40 @@
+
+ D (("get user returned: %s", user));
+
+- /* prompt for the Yubikey OTP (always) */
+- {
++ if (two_factor == 2) {
++ /* Prompt for the user's password and OTP together */
++ passcode = get_response(pamh, "Passcode+Yubikey OTP", user, 0);
++ /* Find last space, beyond is our OTP */
++ otp = rindex(passcode, ' ');
++ if (otp)
++ /* otp is one character before OTP */
++ strncpy(otp_passcode, &otp[1], 128);
++ else
++ /* Fail right here */
++ return PAM_AUTH_ERR;
++
++ /* Append the | character and passcode+OTP */
++ strncat(otp_passcode,"|",128);
++ strncat(otp_passcode,passcode,128);
++
++ /* Find the last space again and make it a null */
++ passcode = rindex(otp_passcode,' ');
++ if (passcode)
++ *passcode = 0;
++ else
++ return PAM_AUTH_ERR;
++ } else {
++ /* prompt for the Yubikey OTP (always) */
+ otp = get_response(pamh, "Yubikey OTP", user, verbose_otp);
+- }
+
+- /* prompt for the second factor passcode as required */
+- if ( two_factor)
+- {
+- passcode = get_response(pamh, "Yubikey Passcode", user, 0);
+- }
++ /* prompt for the second factor passcode as required */
++ if (two_factor)
++ {
++ passcode = get_response(pamh, "Yubikey Passcode", user, 0);
++ }
+
+- snprintf(otp_passcode, 128, "%s|%s", otp ? otp:"", passcode ? passcode:"");
++ snprintf(otp_passcode, 128, "%s|%s", otp ? otp:"", passcode ? passcode:"");
++ }
+
+ D (("pass: %s (%d)", otp_passcode, strlen(otp_passcode)));
+
diff --git a/sys-auth/yubipam/files/yubipam-1.1_beta1-resource.h.patch b/sys-auth/yubipam/files/yubipam-1.1_beta1-resource.h.patch
new file mode 100644
index 00000000..c41bf813
--- /dev/null
+++ b/sys-auth/yubipam/files/yubipam-1.1_beta1-resource.h.patch
@@ -0,0 +1,20 @@
+--- src/pam_yubikey.c.dist
++++ src/pam_yubikey.c
+@@ -38,6 +38,7 @@
+ #include <stdlib.h>
+ #include <stdarg.h>
+ #include <string.h>
++#include <sys/resource.h>
+
+ #include "libyubipam.h"
+
+--- src/utils/ykvalidate.c.dist
++++ src/utils/ykvalidate.c
+@@ -32,6 +32,7 @@
+ #include <string.h>
+ #include <unistd.h>
+ #include <termios.h>
++#include <sys/resource.h>
+
+ #include "ykvalidate.h"
+ #include "libyubipam.h"
diff --git a/sys-auth/yubipam/yubipam-1.1_beta1.ebuild b/sys-auth/yubipam/yubipam-1.1_beta1.ebuild
new file mode 100644
index 00000000..44b6b1e2
--- /dev/null
+++ b/sys-auth/yubipam/yubipam-1.1_beta1.ebuild
@@ -0,0 +1,65 @@
+# Copyright 1999-2011 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: $
+
+EAPI=5
+
+MY_PV="${PV/_/-}"
+
+inherit eutils multilib user
+
+DESCRIPTION="YubiPAM: PAM module for Yubikeys"
+HOMEPAGE="http://www.securixlive.com/yubipam/"
+SRC_URI="http://www.securixlive.com/download/yubipam/YubiPAM-${MY_PV}.tar.gz"
+RESTRICT="nomirror"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~amd64 ~mips ~x86"
+IUSE=""
+
+DEPEND="sys-libs/pam"
+RDEPEND="${DEPEND}"
+
+DOCS=( README INSTALL RELEASE.NOTES )
+S="${WORKDIR}/YubiPAM-${MY_PV}"
+
+pkg_setup() {
+ enewgroup yubiauth
+}
+
+src_prepare() {
+ cd "${S}"
+
+ epatch "${FILESDIR}/${P}-concat-twofactor.patch" || die "epatch failed"
+ epatch "${FILESDIR}/${P}-resource.h.patch" || die "epatch failed"
+}
+
+src_install() {
+ emake install DESTDIR="${ED}" PAMDIR="$(get_libdir)/security"
+ find "${ED}" -type f -name \*.a -delete
+ find "${ED}" -type f -name \*.la -delete
+
+ #diropts -m0660 -g yubiauth
+ #dodir /etc/yubikey || die "creation of state directory failed"
+ touch "${T}"/yubikey
+ insinto /etc
+ doins "${T}"/yubikey
+
+ fowners :yubiauth /etc/yubikey /sbin/yk_chkpwd
+ fperms g+rw /etc/yubikey
+ fperms g+s /sbin/yk_chkpwd
+
+ dodoc "${DOCS[@]}"
+}
+
+pkg_postinst() {
+ einfo "To enable YubiPAM for system authentication"
+ einfo "edit your /etc/pam.d/system-auth to include:"
+ einfo
+ einfo " auth sufficient pam_yubikey.so"
+ einfo
+ einfo "... just before pam_unix.so"
+ echo
+ einfo "See included README for module parameters"
+}
diff --git a/sys-auth/yubipam/yubipam-9999.ebuild b/sys-auth/yubipam/yubipam-9999.ebuild
new file mode 100644
index 00000000..dad0ecbf
--- /dev/null
+++ b/sys-auth/yubipam/yubipam-9999.ebuild
@@ -0,0 +1,72 @@
+# Copyright 1999-2011 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: $
+
+EAPI=5
+
+AUTOTOOLS_AUTORECONF=1
+AUTOTOOLS_IN_SOURCE_BUILD=1
+AUTOTOOLS_PRUNE_LIBTOOL_FILES="none"
+
+inherit autotools-utils eutils git-r3 multilib user
+
+DESCRIPTION="YubiPAM: PAM module for Yubikeys"
+HOMEPAGE="http://www.securixlive.com/yubipam/"
+EGIT_REPO_URI="git://github.com/firnsy/yubipam.git"
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~amd64 ~arm ~mips ~x86"
+IUSE=""
+
+DEPEND="sys-libs/pam"
+RDEPEND="${DEPEND}"
+
+AUTHDB="/var/lib/${PN}/auth"
+DOCS=( README ChangeLog )
+
+pkg_setup() {
+ enewgroup yubiauth
+}
+
+src_prepare() {
+ find . -name "Makefile.am" -exec sed -ie '/rm .*\.l\?a/d' {} \;
+
+ autotools-utils_src_prepare
+ default_src_prepare
+}
+
+src_configure() {
+ econf \
+ --with-authdb="${AUTHDB}"
+ # The following option is documented (although sometimes as --with-pam-lib)
+ # but doesn't work correctly - the value specified is appended to '/lib' :(
+ # --with-pam-dir="$(get_libdir)"/security
+}
+
+src_install() {
+ emake install DESTDIR="${ED}" PAMDIR="$(get_libdir)/security"
+
+ find "${ED}" -type f -name \*.a -delete
+ find "${ED}" -type f -name \*.la -delete
+
+ touch "${T}"/"$( basename "${AUTHDB}" )"
+ insopts -m0664 -g yubiauth
+ insinto "$( dirname "${AUTHDB}" )"
+ doins "${T}"/"$( basename "${AUTHDB}" )"
+
+ fowners :yubiauth /usr/sbin/yk_chkpwd
+ fperms g+s /usr/sbin/yk_chkpwd
+
+ dodoc "${DOCS[@]}"
+}
+
+pkg_postinst() {
+ einfo "To enable YubiPAM for system authentication"
+ einfo "edit your /etc/pam.d/system-auth to include:"
+ einfo
+ einfo " auth sufficient pam_yubikey.so"
+ einfo
+ einfo "... just before pam_unix.so"
+ echo
+ einfo "See included README for module parameters"
+}