Package Details: yubico-pam-git 2.19.r12.g11326d0-1

Git Clone URL: (read-only)
Package Base: yubico-pam-git
Description: Yubico YubiKey PAM module - git checkout
Upstream URL:
Licenses: BSD
Conflicts: pam_yubico, yubico-pam
Provides: pam_yubico, yubico-pam
Submitter: Gohu
Maintainer: eworm
Last Packager: eworm
Votes: 13
Popularity: 0.026530
First Submitted: 2011-04-24 19:09
Last Updated: 2015-08-13 05:31

Latest Comments

slester commented on 2015-08-13 02:29

Please add asciidoc to dependencies.

belette commented on 2015-06-01 13:17

Many thanks eworm.
I tried again to launch the script with a tcpdump running but nothing is seen, I suspect that once the test is done even if I makepkg -s -f it will not happen again..

little question regarding pam with ssh, the documentation asks to put :
auth sufficient id=16 authfile=/etc/authkeyfile
into /etc/pam.d/sshd

I realized that in case of hitting enter when Yubikey is waiting for OTP then PAM is asking me for a password.
In case I would like to force OTP I comment some rule and did :
auth sufficient id=16 authfile=/etc/authkeyfile
#auth required #disable remote root
#auth include system-remote-login
#account include system-remote-login
#password include system-remote-login
session include system-remote-login

Is it correct in term of implementation / security?
It is working correctly but I just doubt about the best practices..
Many thanks!

eworm commented on 2015-05-31 21:56

make check asks the Yubico authentication server with some default credentials. This happens via http or https.

belette commented on 2015-05-31 21:30

Thanks for your comment.
curl was installed.
I realized that it was my iptables issue.
Is there any special test remotely needed to be done by the script?
Many thanks

eworm commented on 2015-05-31 18:15

Possibly you are missing curl. Can you install that and retry?

belette commented on 2015-05-30 21:02

Even if perl-net-ldap-server is installed and up to date + all others dependencies I am unable to make check install..

I am trying to install yubico-pam using the git version, I installed all dependencies but I am failing on the last stage ..
I tried to use --without-ldap when running ./configure as I don't need it but it keeps failing when make check install
If anyone has an idea I would appreciate a lot :)

This is the test-suite.log

pam_yubico 2.20: tests/test-suite.log

# TOTAL: 3
# PASS: 2
# SKIP: 0
# XFAIL: 0
# FAIL: 1
# XPASS: 0
# ERROR: 0

.. contents:: :depth: 2

FAIL: pam_test

YKVAL mockup started on 30559 at ./aux/ line 52.
YKVAL mockup started on 17502 at ./aux/ line 52.
[pam_yubico.c:parse_cfg(729)] called.
[pam_yubico.c:parse_cfg(730)] flags 0 argc 4
[pam_yubico.c:parse_cfg(732)] argv[0]=id=1
[pam_yubico.c:parse_cfg(732)] argv[1]=url=http://localhost:17502/wsapi/2/verify?id=%d&otp=%s
[pam_yubico.c:parse_cfg(732)] argv[2]=authfile=./aux/authfile
[pam_yubico.c:parse_cfg(732)] argv[3]=debug
[pam_yubico.c:parse_cfg(733)] id=1
[pam_yubico.c:parse_cfg(734)] key=(null)
[pam_yubico.c:parse_cfg(735)] debug=1
[pam_yubico.c:parse_cfg(736)] alwaysok=0
[pam_yubico.c:parse_cfg(737)] verbose_otp=0
[pam_yubico.c:parse_cfg(738)] try_first_pass=0
[pam_yubico.c:parse_cfg(739)] use_first_pass=0
[pam_yubico.c:parse_cfg(740)] authfile=./aux/authfile
[pam_yubico.c:parse_cfg(741)] ldapserver=(null)
[pam_yubico.c:parse_cfg(742)] ldap_uri=(null)
[pam_yubico.c:parse_cfg(743)] ldap_bind_user=(null)
[pam_yubico.c:parse_cfg(744)] ldap_bind_password=(null)
[pam_yubico.c:parse_cfg(745)] ldap_filter=(null)
[pam_yubico.c:parse_cfg(746)] ldap_cacertfile=(null)
[pam_yubico.c:parse_cfg(747)] ldapdn=(null)
[pam_yubico.c:parse_cfg(748)] user_attr=(null)
[pam_yubico.c:parse_cfg(749)] yubi_attr=(null)
[pam_yubico.c:parse_cfg(750)] yubi_attr_prefix=(null)
[pam_yubico.c:parse_cfg(751)] url=http://localhost:17502/wsapi/2/verify?id=%d&otp=%s
[pam_yubico.c:parse_cfg(752)] urllist=(null)
[pam_yubico.c:parse_cfg(753)] capath=(null)
[pam_yubico.c:parse_cfg(754)] token_id_length=12
[pam_yubico.c:parse_cfg(755)] mode=client
[pam_yubico.c:parse_cfg(756)] chalresp_path=(null)
[pam_yubico.c:pam_sm_authenticate(787)] pam_yubico version: 2.20
in pam_get_user()
[pam_yubico.c:pam_sm_authenticate(802)] get user returned: foo
in pam_get_item() 5
in conv_func()
[pam_yubico.c:pam_sm_authenticate(949)] conv returned 44 bytes
[pam_yubico.c:pam_sm_authenticate(967)] Skipping first 0 bytes. Length is 44, token_id set to 12 and token OTP always 32.
[pam_yubico.c:pam_sm_authenticate(974)] OTP: vvincredibletrerdegkkrkkneieultcjdghrejjbckh ID: vvincredible
[pam_yubico.c:pam_sm_authenticate(1004)] ykclient return value (109): Error performing curl
[pam_yubico.c:pam_sm_authenticate(1005)] ykclient url used:
[pam_yubico.c:pam_sm_authenticate(1073)] in pam_strerror()
done. [error]
in pam_set_data() yubico_setcred_return
test 1 failed!
killed 13963 and 13964
FAIL pam_test (exit status: 1)

Many thanks,

2bluesc commented on 2015-05-02 23:50

Having to install a bunch of perl-net-ladap-server options every time I update is very annoying.

One option is to pass '--without-ldap' to the ./configure script. Or we could the tests/aux/ script from pam_tests.c.

Aerion commented on 2015-01-21 11:22

After updating perl-net-ldap-server and installing it's new dependencies the package built correctly.

Many thanks for your quick response!

eworm commented on 2015-01-20 20:55

perl-net-ldap-server was missing dependencies. Please install perl-net-ldap-server 0.43-2 and try again.

Aerion commented on 2015-01-20 20:35

Yes, perl-net-ldap-server is installed.

Sorry, of course, I should have thought to include the log straight away.

The content of the log doesn't mean an awful lot to me, but the most obvious errors are

[pam_yubico.c:authorize_user_token_ldap(271)] ldap_simple_bind_s: Can't contact LDAP server
[pam_yubico.c:pam_sm_authenticate(982)] Internal error while validating user

I don't run an LDAP server.

I've uploaded the full log here

eworm commented on 2015-01-20 17:51

@Aerion: Do you have perl-net-ldap-server installed? Does 'test-suite.log' contain anything useful?

Aerion commented on 2015-01-20 16:06

Unfortunately this update fails to build as it doesn't pass pam_test.

Here's the relevant part of the output:

Making all in tests
make[1]: Entering directory '/home/aerion/aur/yubico-pam-git/src/yubico-pam/tests'
make[1]: Nothing to be done for 'all'.
make[1]: Leaving directory '/home/aerion/aur/yubico-pam-git/src/yubico-pam/tests'
==> Starting check()...
Making check in .
make[1]: Entering directory '/home/aerion/aur/yubico-pam-git/src/yubico-pam'
make[1]: Nothing to be done for 'check-am'.
make[1]: Leaving directory '/home/aerion/aur/yubico-pam-git/src/yubico-pam'
Making check in tests
make[1]: Entering directory '/home/aerion/aur/yubico-pam-git/src/yubico-pam/tests'
make test util_test pam_test
make[2]: Entering directory '/home/aerion/aur/yubico-pam-git/src/yubico-pam/tests'
CC test.o
CCLD test

*** Warning: Linking the executable test against the loadable module
*** is not portable!
CC util_test.o
CCLD util_test
CC pam_test.o
pam_test.c: In function ‘conv_func’:
pam_test.c:99:15: warning: assignment discards ‘const’ qualifier from pointer target type
reply->resp = test_get_data(appdata_ptr)->otp;
CCLD pam_test
make[2]: Leaving directory '/home/aerion/aur/yubico-pam-git/src/yubico-pam/tests'
make check-TESTS
make[2]: Entering directory '/home/aerion/aur/yubico-pam-git/src/yubico-pam/tests'
make[3]: Entering directory '/home/aerion/aur/yubico-pam-git/src/yubico-pam/tests'
PASS: test
PASS: util_test
FAIL: pam_test
make[4]: Entering directory '/home/aerion/aur/yubico-pam-git/src/yubico-pam/tests'
make[4]: Nothing to be done for 'all'.
make[4]: Leaving directory '/home/aerion/aur/yubico-pam-git/src/yubico-pam/tests'
Testsuite summary for pam_yubico 2.18
# TOTAL: 3
# PASS: 2
# SKIP: 0
# XFAIL: 0
# FAIL: 1
# XPASS: 0
# ERROR: 0
See tests/test-suite.log
Please report to
Makefile:706: recipe for target 'test-suite.log' failed
make[3]: *** [test-suite.log] Error 1
make[3]: Leaving directory '/home/aerion/aur/yubico-pam-git/src/yubico-pam/tests'
Makefile:812: recipe for target 'check-TESTS' failed
make[2]: *** [check-TESTS] Error 2
make[2]: Leaving directory '/home/aerion/aur/yubico-pam-git/src/yubico-pam/tests'
Makefile:899: recipe for target 'check-am' failed
make[1]: *** [check-am] Error 2
make[1]: Leaving directory '/home/aerion/aur/yubico-pam-git/src/yubico-pam/tests'
Makefile:762: recipe for target 'check-recursive' failed
make: *** [check-recursive] Error 1
==> ERROR: A failure occurred in check().

eworm commented on 2013-09-16 07:21

No, patches are no longer needed. Source compiles from git as is. ;)

hazey commented on 2013-09-15 23:57

Are those patches (below in comments) still required for this? Doesn't look to be included in the pkgbuild so hopefully those patches just aren't needed anymore? Guess will find out! PS thanks eworm for all the yubi git's/etc :)

mutantmonkey commented on 2012-05-05 23:23

Here's an updated src.tar.gz with the necessary changes and the automake patch:

crondog commented on 2012-05-05 06:09

Oh and you need to change the PKGBUILD to be --with-pam-dir=/usr/lib/security

crondog commented on 2012-05-05 06:08

Hey just to let you know i had to build rebuild this today since the pam 1.1.5-3 update from core. You will need to include the following patch since it doesnt like being built by automake 1.12-1. For some reason it wants AM_PROG_AR

diff --git a/ b/
index daf125d..d74a602 100644
--- a/
+++ b/
@@ -26,7 +26,10 @@

AC_INIT([pam_yubico], [2.11], [])
AM_INIT_AUTOMAKE([1.10 foreign -Wall -Werror])
@@ -113,4 +116,4 @@ AC_MSG_NOTICE([Summary of build options:
Library types: Shared=${enable_shared}, Static=${enable_static}
LDAP: ${with_ldap}
Challenge-Response: ${with_cr}
\ No newline at end of file

grossws commented on 2012-01-12 10:11

Fails on build,

mutantmonkey commented on 2011-07-29 22:09

If you're trying to use challenge-response authentication and having problems, you will need to recompile this package with CFLAGS=-DHAVE_LIBYKPERS_1; there's currently a bug in the configure script upstream that is preventing this constant from being set.

mutantmonkey commented on 2011-07-29 21:57

If you're trying to use challenge-response authentication and having problems, you will need to recompile this package with CFLAGS=-DHAVE_YKPERS_1; there's currently a bug in the configure script upstream that is preventing this constant from being set.