Modify Yubikey client systems
Once you have verified your import, now its time to depreciate the old “authfile” option on all of your client workstations and servers to point to an LDAP lookup, instead of a text file.
Chances are, your client systems will be cofigured in pam to use the following line.
I use the below in my /etc/pam.d/system-auth file.
auth required pam_yubico.so id=1 authfile=/etc/sysconfig/yubikey
All you need to do in order to point your systems to LDAP is change the above line to look like the below.
Don’t forget to change “ldaps://ds01.example.com to point to your own FQDN of your FreeIPA server.
auth required pam_yubico.so id=1 ldap_uri=ldaps://ds01.example.com ldapdn=cn=users,cn=accounts,dc=example,dc=com user_attr=uid yubi_attr=yubiKeyId
That’s it for the integration process. All in all, it shouldn’t take longer than 15-20 minutes to get up and running. Below are a few screenshots of Fedora 18 using FreeIPA login’s with Yubikey authentication as well. Enjoy!
Fedora 18 User Login
Fedora 18 – Yubikey OTP
Fedora 18 – FreeIPA Password