rlm_yubico

FreeRADIUS module for using YubiKeys for authentication.

Introduction

This is a rlm_perl based module for FreeRadius that allows adding authentication by YubiKey OTP (One Time Password). It works in addition to existing authentication methods, such as username and password. A YubiKey OTP can be passed by appending it either to the username or the password. When possible, rlm_yubico will use an Access-Challenge response to query the user for an OTP if one is required but not provided.

Installation

  • Run make install

  • Edit /etc/freeradius/modules/perl:

    • Set module = /usr/share/rlm_yubico/rlm_yubico.pl

  • Edit /etc/freeradius/sites-available/default:

    • Add "perl" (without quotes) to a line by itself in the "authorize" section. It needs to occur early on, at least before "files".

    • Add "perl" to a line by itself in the "post-auth" section.

  • Edit /etc/freeradius/dictionary:

    • Add the following line: $INCLUDE /usr/share/rlm_yubico/dictionary

Configuration

Place configuration in /etc/yubico/rlm/ykrlm-config.cfg Place username → YubiKey mappings in /etc/yubico/rlm/ykmapping

See the included ykrlm-config.cfg file for a description of available settings.

Any changes to configuration will require a full restart of freeradius to take effect. Even though freeradius supports reloading configuration without restarting (by sending a HUP signal), rlm_perl, which is used by rlm_yubico, does not.

NOTE: When running freeRADIUS (< 2.1.12) on a Debian based system, you need to preload Perl libraries for rlm_yubico to work. This can be done by running freeRADIUS using the following command (change the version to match your Perl installation):

LD_PRELOAD=/usr/lib/libperl.so.5.10 freeradius

Dependencies

rlm_yubico requires the following Perl modules: AnyEvent::Yubico Crypt::CBC Digest:: Error:: Crypt::Blowfish

FreeRADIUS is also required.