diff options
-rw-r--r-- | README.md | 2 | ||||
-rw-r--r-- | sys-auth/yubipam/Manifest | 5 | ||||
-rw-r--r-- | sys-auth/yubipam/files/yubipam-1.1_beta1-concat-twofactor.patch | 96 | ||||
-rw-r--r-- | sys-auth/yubipam/files/yubipam-1.1_beta1-resource.h.patch | 20 | ||||
-rw-r--r-- | sys-auth/yubipam/yubipam-1.1_beta1.ebuild | 65 | ||||
-rw-r--r-- | sys-auth/yubipam/yubipam-9999.ebuild | 72 |
6 files changed, 260 insertions, 0 deletions
@@ -184,6 +184,8 @@ A similar configuration file could be added for all packages which fail to compi * OPIE One-time password system * sys-auth/pam_mobile_otp * PAM component of mOTP +* sys-auth/yubipam + * PAM authentication module for YubiKey hardware * www-apps/heatmiser * Data acquisition and web-interface for Heatmiser Wifi Thermostats * www-apps/nabaztaglives diff --git a/sys-auth/yubipam/Manifest b/sys-auth/yubipam/Manifest new file mode 100644 index 00000000..67ae2e48 --- /dev/null +++ b/sys-auth/yubipam/Manifest @@ -0,0 +1,5 @@ +AUX yubipam-1.1_beta1-concat-twofactor.patch 3040 SHA256 bd461a2e827560e7fa69b08d772b12cb2c4bbf8676c1394fa3d9c0a3d7b90980 SHA512 a4f5cf8549820f90d2bad68446a5b01334173955e2f3e3628f62b8a2afe3c98e52cbfdbceb03a3d77ba1cc1ce8b66de77101d4e9d007a9955322d164171bb555 WHIRLPOOL f087b9afcc19259546666f7398f0e5db10e8de361402ca1cdc8a41fe607c01b675f85aee960f18b7f4166604a8f5a8c761a265a4e7148ed240948a88b795412c +AUX yubipam-1.1_beta1-resource.h.patch 406 SHA256 c86ca9eea31bad29d2b70b4773b51cdc46e101483f4e45587e2108dfb8235fe3 SHA512 ed12a5207c99467f8f06a19d81a224e92a8a99b2bbdf194be93b79d3f2bb2cb8aa397bd09aa18526213337b592b580f312bbf6927b72c9c8c6cb6bfa9edc2d50 WHIRLPOOL c057a34e3dc777c44bd84838ff8f62e16216171b4cfd55f572b2b42cb124015bb91802458131639b450515af28f2849729a068f959b14add17efd79ec6afdf1d +DIST YubiPAM-1.1-beta1.tar.gz 337000 SHA256 8f0d018599613268280802de0e7b66541cb2b2c00d6c45535263a81671c8f4bc SHA512 eed18192f766029f70f8bfc2a2366bcb167f035724091fd46786ca2c56a6f6feced4f3ba856bf7d376fcb4582af28ef09c68211b1a7abe3ff2f3186ec8405962 WHIRLPOOL 71e2a2844cd1fdfc58a8e37902ded3a5ebf7dae435a143bfcb0b24e712486387d1b0d58f57822515feccefa76247482c08fea2edd093d9bccfaee09f4bed2580 +EBUILD yubipam-1.1_beta1.ebuild 1475 SHA256 7a48324f85038af0b40b1f62d5114cbeb5195663a7596046e00dfdf03151e1a8 SHA512 d839a721ffcc4d09be85c54e4f5f044b12c6a088a398358325f0325c36e2658985918094106dffedbc0eeeac07d000400c79c9d18e84582b900f840331563d0c WHIRLPOOL fb317e6d859ecdd6f72697fc46c2bd7ac9f9cc47eef899051603af4afd4b3b3957c809b6f5dfe419f5c9056da61ee4091dec32f9eeced1e7d51db54a6d661501 +EBUILD yubipam-9999.ebuild 1696 SHA256 2dd76c7e75c4ca0f4818202abe1d5098f750f8979ded641341a94e7cd083fd0b SHA512 23a973aefe86a0958653ecf544337f3a649ed80d90e859644397e37e83053b52db8f3e4a6473222e2582beeb18533b4727f4985b53c7f627aa4e16b25e7de31f WHIRLPOOL a2b2d532c334308c752302087b281654c8576a243ab60fe49bee03e813407d8d5d7ac8e834a8f86312dc41d5fd1b396873c75502849f436c02d87e5da9c3c044 diff --git a/sys-auth/yubipam/files/yubipam-1.1_beta1-concat-twofactor.patch b/sys-auth/yubipam/files/yubipam-1.1_beta1-concat-twofactor.patch new file mode 100644 index 00000000..04eeb21a --- /dev/null +++ b/sys-auth/yubipam/files/yubipam-1.1_beta1-concat-twofactor.patch @@ -0,0 +1,96 @@ +Add concatenated two-factor authentication to YubiPAM. This allows a +work-around for arguably broken PAM clients that only look for one password +field. + +Regular two-factor authentication is achieved by adding the 'two_factor' +parameter to the PAM module in the appropriate /etc/pam.d file. The "passcode" +is then set for each user when enrolling by specifying -c to ykpasswd. + +i.e. + somewhere in pam.d: + + auth sufficient pam_yubikey.so two_factor + + then: + # ykpasswd -a -c -f ffeeddccbbaa -k afaa... + + The -c tells ykpasswd to ask for a passcode. + +When logging in, the system will now ask for the OTP, followed by the +"passcode". + +This patch extends the two-factor authentication to provide the concatenated +two-factor feature. Where your PAM configuration specifies 'two_factor', change +this to 'concat_two_factor'. Now, YubiPAM instead now asks for +'Password+YubiKey OTP'. You enter them in this order separated by a single +space. This method is compatible with single-password PAM clients such as KDM. + +--- YubiPAM-1.1-beta1/src/pam_yubikey.c.orig 2011-02-17 06:29:36.463262097 +1000 ++++ YubiPAM-1.1-beta1/src/pam_yubikey.c 2011-02-17 07:29:55.017380877 +1000 +@@ -26,6 +26,7 @@ + * the Linux-PAM project, specfically unik_chkpwd.c + * 2. This addition was intiated by Geoff Hoff + * ++* vim: set ts=4 sts=4 + */ + + #ifdef HAVE_CONFIG_H +@@ -100,6 +101,8 @@ + verbose_otp = 1; + else if (strncmp(argv[i], "two_factor", 10) == 0) + two_factor = 1; ++ else if (strncmp(argv[i], "concat_two_factor", 17) == 0) ++ two_factor = 2; + } + D (("verbose=%d", verbose_otp)); + +@@ -113,18 +116,40 @@ + + D (("get user returned: %s", user)); + +- /* prompt for the Yubikey OTP (always) */ +- { ++ if (two_factor == 2) { ++ /* Prompt for the user's password and OTP together */ ++ passcode = get_response(pamh, "Passcode+Yubikey OTP", user, 0); ++ /* Find last space, beyond is our OTP */ ++ otp = rindex(passcode, ' '); ++ if (otp) ++ /* otp is one character before OTP */ ++ strncpy(otp_passcode, &otp[1], 128); ++ else ++ /* Fail right here */ ++ return PAM_AUTH_ERR; ++ ++ /* Append the | character and passcode+OTP */ ++ strncat(otp_passcode,"|",128); ++ strncat(otp_passcode,passcode,128); ++ ++ /* Find the last space again and make it a null */ ++ passcode = rindex(otp_passcode,' '); ++ if (passcode) ++ *passcode = 0; ++ else ++ return PAM_AUTH_ERR; ++ } else { ++ /* prompt for the Yubikey OTP (always) */ + otp = get_response(pamh, "Yubikey OTP", user, verbose_otp); +- } + +- /* prompt for the second factor passcode as required */ +- if ( two_factor) +- { +- passcode = get_response(pamh, "Yubikey Passcode", user, 0); +- } ++ /* prompt for the second factor passcode as required */ ++ if (two_factor) ++ { ++ passcode = get_response(pamh, "Yubikey Passcode", user, 0); ++ } + +- snprintf(otp_passcode, 128, "%s|%s", otp ? otp:"", passcode ? passcode:""); ++ snprintf(otp_passcode, 128, "%s|%s", otp ? otp:"", passcode ? passcode:""); ++ } + + D (("pass: %s (%d)", otp_passcode, strlen(otp_passcode))); + diff --git a/sys-auth/yubipam/files/yubipam-1.1_beta1-resource.h.patch b/sys-auth/yubipam/files/yubipam-1.1_beta1-resource.h.patch new file mode 100644 index 00000000..c41bf813 --- /dev/null +++ b/sys-auth/yubipam/files/yubipam-1.1_beta1-resource.h.patch @@ -0,0 +1,20 @@ +--- src/pam_yubikey.c.dist ++++ src/pam_yubikey.c +@@ -38,6 +38,7 @@ + #include <stdlib.h> + #include <stdarg.h> + #include <string.h> ++#include <sys/resource.h> + + #include "libyubipam.h" + +--- src/utils/ykvalidate.c.dist ++++ src/utils/ykvalidate.c +@@ -32,6 +32,7 @@ + #include <string.h> + #include <unistd.h> + #include <termios.h> ++#include <sys/resource.h> + + #include "ykvalidate.h" + #include "libyubipam.h" diff --git a/sys-auth/yubipam/yubipam-1.1_beta1.ebuild b/sys-auth/yubipam/yubipam-1.1_beta1.ebuild new file mode 100644 index 00000000..44b6b1e2 --- /dev/null +++ b/sys-auth/yubipam/yubipam-1.1_beta1.ebuild @@ -0,0 +1,65 @@ +# Copyright 1999-2011 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: $ + +EAPI=5 + +MY_PV="${PV/_/-}" + +inherit eutils multilib user + +DESCRIPTION="YubiPAM: PAM module for Yubikeys" +HOMEPAGE="http://www.securixlive.com/yubipam/" +SRC_URI="http://www.securixlive.com/download/yubipam/YubiPAM-${MY_PV}.tar.gz" +RESTRICT="nomirror" + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="~amd64 ~mips ~x86" +IUSE="" + +DEPEND="sys-libs/pam" +RDEPEND="${DEPEND}" + +DOCS=( README INSTALL RELEASE.NOTES ) +S="${WORKDIR}/YubiPAM-${MY_PV}" + +pkg_setup() { + enewgroup yubiauth +} + +src_prepare() { + cd "${S}" + + epatch "${FILESDIR}/${P}-concat-twofactor.patch" || die "epatch failed" + epatch "${FILESDIR}/${P}-resource.h.patch" || die "epatch failed" +} + +src_install() { + emake install DESTDIR="${ED}" PAMDIR="$(get_libdir)/security" + find "${ED}" -type f -name \*.a -delete + find "${ED}" -type f -name \*.la -delete + + #diropts -m0660 -g yubiauth + #dodir /etc/yubikey || die "creation of state directory failed" + touch "${T}"/yubikey + insinto /etc + doins "${T}"/yubikey + + fowners :yubiauth /etc/yubikey /sbin/yk_chkpwd + fperms g+rw /etc/yubikey + fperms g+s /sbin/yk_chkpwd + + dodoc "${DOCS[@]}" +} + +pkg_postinst() { + einfo "To enable YubiPAM for system authentication" + einfo "edit your /etc/pam.d/system-auth to include:" + einfo + einfo " auth sufficient pam_yubikey.so" + einfo + einfo "... just before pam_unix.so" + echo + einfo "See included README for module parameters" +} diff --git a/sys-auth/yubipam/yubipam-9999.ebuild b/sys-auth/yubipam/yubipam-9999.ebuild new file mode 100644 index 00000000..dad0ecbf --- /dev/null +++ b/sys-auth/yubipam/yubipam-9999.ebuild @@ -0,0 +1,72 @@ +# Copyright 1999-2011 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: $ + +EAPI=5 + +AUTOTOOLS_AUTORECONF=1 +AUTOTOOLS_IN_SOURCE_BUILD=1 +AUTOTOOLS_PRUNE_LIBTOOL_FILES="none" + +inherit autotools-utils eutils git-r3 multilib user + +DESCRIPTION="YubiPAM: PAM module for Yubikeys" +HOMEPAGE="http://www.securixlive.com/yubipam/" +EGIT_REPO_URI="git://github.com/firnsy/yubipam.git" +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="~amd64 ~arm ~mips ~x86" +IUSE="" + +DEPEND="sys-libs/pam" +RDEPEND="${DEPEND}" + +AUTHDB="/var/lib/${PN}/auth" +DOCS=( README ChangeLog ) + +pkg_setup() { + enewgroup yubiauth +} + +src_prepare() { + find . -name "Makefile.am" -exec sed -ie '/rm .*\.l\?a/d' {} \; + + autotools-utils_src_prepare + default_src_prepare +} + +src_configure() { + econf \ + --with-authdb="${AUTHDB}" + # The following option is documented (although sometimes as --with-pam-lib) + # but doesn't work correctly - the value specified is appended to '/lib' :( + # --with-pam-dir="$(get_libdir)"/security +} + +src_install() { + emake install DESTDIR="${ED}" PAMDIR="$(get_libdir)/security" + + find "${ED}" -type f -name \*.a -delete + find "${ED}" -type f -name \*.la -delete + + touch "${T}"/"$( basename "${AUTHDB}" )" + insopts -m0664 -g yubiauth + insinto "$( dirname "${AUTHDB}" )" + doins "${T}"/"$( basename "${AUTHDB}" )" + + fowners :yubiauth /usr/sbin/yk_chkpwd + fperms g+s /usr/sbin/yk_chkpwd + + dodoc "${DOCS[@]}" +} + +pkg_postinst() { + einfo "To enable YubiPAM for system authentication" + einfo "edit your /etc/pam.d/system-auth to include:" + einfo + einfo " auth sufficient pam_yubikey.so" + einfo + einfo "... just before pam_unix.so" + echo + einfo "See included README for module parameters" +} |