Local Authentication Using Challenge Response with Yubikey for CentOS 7

- Connect Yubikey  ,theninitialize YubiKeyslot 2:

Connect Yubikey  ,theninitialize YubiKeyslot 2:

3ykpersonalize-2-ochal-resp-ochal-hmac-ohmac-lt64-oserial-api-visible

...

Commit? (y/n) [n]: y

Create /var/yubico directory for challenge file.

9sudo mkdir/var/yubico

sudo chown root.root/var/yubico

sudo chmod700/var/yubico

ykpamcfg-2-v

...

Stored initial challengeandexpected responsein'$HOME/.yubico/challenge-123456'.

sudo mv ~/.yubico/challenge-123456/var/yubico/xiaoxiaoleo-123456

sudo chown root.root/var/yubico/xiaoxiaoleo-123456
sudo chmod600/var/yubico/xiaoxiaoleo-123456

TIPs: xiaoxiaoleo is the login user name.

add pam config before the first line /etc/pam.d/login:

auth   required        pam_yubico.so mode=challenge-response chalresp_path=/var/yubico

Add debug arg for debug infomation:

auth   required        pam_yubico.so mode=challenge-response debug chalresp_path=/var/yubico

Create yubico pam debug log file:

2touch/var/run/pam-debug.log

chmod go+w/var/run/pam-debug.log

SELinux ERROR:

[pam_yubico.c:do_challenge_response(614)] Cannot open file: /var/yubico/test-5212345(No such file or   directory )

Error communicating with Yubikey,please check syslog or contact your system administrator

[pam_yubikco.c:display_error(425)] conv returned:'(null)'

[pam_yubico.c:do_challenge_response(673)] Challenge Response failed: No such file or directory

Create SELinux policy :

grep avc/var/log/audit/audit.log | audit2allow-M yubikey

13module yubikey1.0;

define(`r_file_perms', `{ getattr open read ioctl lock }')

require {

typevar_t;

typelocal_login_t;

}

allow local_login_t var_t:filer_file_perms

Compile and install SELinux policy:

3checkmodule-M-m-o yubikey.mod yubikey.te

semodule_package-o yubikey.pp-m yubikey.mod

semodule-i yubikey.pp