FreeRADIUS module for using YubiKeys for authentication.
This is a rlm_perl based module for FreeRadius that allows adding authentication by YubiKey OTP (One Time Password). It works in addition to existing authentication methods, such as username and password. A YubiKey OTP can be passed by appending it either to the username or the password. When possible, rlm_yubico will use an Access-Challenge response to query the user for an OTP if one is required but not provided.
Run make install
Set module = /usr/share/rlm_yubico/rlm_yubico.pl
Add "perl" (without quotes) to a line by itself in the "authorize" section. It needs to occur early on, at least before "files".
Add "perl" to a line by itself in the "post-auth" section.
Add the following line: $INCLUDE /usr/share/rlm_yubico/dictionary
Place configuration in /etc/yubico/rlm/ykrlm-config.cfg Place username → YubiKey mappings in /etc/yubico/rlm/ykmapping
See the included ykrlm-config.cfg file for a description of available settings.
Any changes to configuration will require a full restart of freeradius to take effect. Even though freeradius supports reloading configuration without restarting (by sending a HUP signal), rlm_perl, which is used by rlm_yubico, does not.
NOTE: When running freeRADIUS (< 2.1.12) on a Debian based system, you need to preload Perl libraries for rlm_yubico to work. This can be done by running freeRADIUS using the following command (change the version to match your Perl installation):
rlm_yubico requires the following Perl modules: AnyEvent::Yubico Crypt::CBC Digest:: Error:: Crypt::Blowfish
FreeRADIUS is also required.