Yubikey OTP - FAS API URL for pam_yubico.so module

[kees-closed]

I've burned my Yubikey with the Fedora tool, now my second slot of my Yubikey can only be used with the FAS infrastructure. My first slot is used for HMAC authentication with Keepassxc.

However, I do want to keep the functionality to use the pam_yubico.so PAM module. This module by default uses the Yubico infrastructure, e.g. https://api5.yubico.com/wsapi/2.0/verify?id= or a more complete example, taken from the man page of pam_yubico.so; https://api.example.com/wsapi/2.0/verify?id=%d&otp=%s

Thus to keep this functionality, and only having 2 slots to use on my Yubikey, where now only one is OTP, I have a few options with FAS.

• Either access to my own private properties of my OTP, so that I can upload it to Yubico and use the Yubico infrastructure to authenticate. Currently these properties reside in the FAS infrastructure and are not public to me as a regular user. Therefore, I can't upload my Fedora OTP to Yubico.
• Or, is there an API in the FAS infrastructure that I can use and define it in the PAM module with url=? Then I don't need the Yubico infrastructure and can substitute it for the FAS infrastructure.

Using fedora-packager-0.6.0.2-5.fc30.noarch and pam_yubico-2.26-3.fc30.x86_64

[smooge]

On Fri, 11 Oct 2019 at 04:34, AquaL1te notifications@github.com wrote:

I've burned my Yubikey with the Fedora tool https://fedoraproject.org/wiki/Infrastructure/Yubikey#How_do_I_burn_my_yubikey.3F, now my second slot of my Yubikey can only be used with the FAS infrastructure. My first slot is used for HMAC authentication with Keepassxc.

However, I do want to keep the functionality to use the pam_yubico.so PAM module. This module by default uses the Yubico infrastructure, e.g. https://api5.yubico.com/wsapi/2.0/verify?id= or a more complete example, taken from the man page of pam_yubico.so; https://api.example.com/wsapi/2.0/verify?id=%d&otp=%s

Thus to keep this functionality, and only having 2 slots to use on my Yubikey, where now only one is OTP, I have a few options with FAS.

• Either access to my own private properties of my OTP, so that I can upload https://upload.yubico.com/ it to Yubico and use the Yubico infrastructure to authenticate. Currently these properties reside in the FAS infrastructure and are not public to me as a regular user. Therefore, I can't upload my Fedora OTP to Yubico.
• Or, is there an API in the FAS infrastructure that I can use and define it in the PAM module with url=? Then I don't need the Yubico infrastructure and can substitute it for the FAS infrastructure.

Currently FAS Yubikey is only meant for Fedora Infrastructure System Administrators to sudo. It is not meant for general purpose and thus can't do the above.

Using fedora-packager-0.6.0.2-5.fc30.noarch and pam_yubico-2.26-3.fc30.x86_64

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/fedora-infra/fas/issues/277?email_source=notifications&email_token=ABGLDLGJECDLGAVOQID7LKDQOA27RA5CNFSM4I7WXUN2YY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4HRETAYA, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABGLDLA2A6L3FQGBFSC5IJDQOA27RANCNFSM4I7WXUNQ .

-- Stephen J Smoogen.

[ryanlerch]

Closing this issue as the FAS project is now archived, not actively developed, and unmaintained.

FAS was replaced in March 2021 by Fedora Accounts (https://accounts.fedoraproject.org).

If this issue is a Feature Request that you forsee might be beneficial to Fedora Accounts, please refile it against Noggin