SYNOPSIS
pam_u2f [...]
DESCRIPTION
The module provides U2F authentication against Yubikeys and other compliant authenticators.
OPTIONS
debug
- Turns on debugging to STDOUT
origin=origin
- Set the origin for the U2F authentication procedure. If no value is specified, the origin "pam://$HOSTNAME" is used.
appid=appid
- Set the application ID for the U2F authentication procedure. If no value is specified, the same value used for origin is taken ("pam://$HOSTNAME" if also origin is not specified).
authfile=file
- Set the location of the file that holds the mappings of user names to keyHandles and user keys. The format is username:keyHandle1,public_key1:keyHandle2,public_key2:... the default location of the file is $XDG_CONFIG_HOME/Yubico/u2f_keys. If the environment variable is not set, $HOME/.config/Yubico/u2f_keys is used.
nouserok
- Set to enable authentication attempts to succeed even if the user trying to authenticate is not found inside authfile.
alwaysok
- Set to enable all authentication attempts to succeed (aka presentation mode).
max_devices=n_devices
- Maximum number of devices allowed per user (default is 24). Devices specified in the authentication file that exceed this value will be ignored.
interactive
- Set to prompt a message and wait before testing the presence of a U2F device. Recommended if your device doesn't have tactile trigger.
manual
- Set to drop to a manual console where challenges are printed on screen and response read from standard input. Useful for debugging and SSH sessions without U2F-support from the SSH client/server. If enabled, interactive mode becomes redundant and has no effect.
cue
- Set to prompt a message to remind to touch the device.
EXAMPLES
auth sufficient pam_u2f.so debug origin=pam://$HOSTNAME appid=pam://$HOSTNAME
auth required pam_u2f.so origin=http://example.com appid=http://example.com authfile=/etc/yubikey_mappings
BUGS
Report pam-u2f bugs in the issue tracker: https://github.com/Yubico/pam-u2f/issues