@@ -31,10 +31,10 @@ Set the relying party ID for the FIDO authentication procedure. If no
31
31
value is specified, the identifier "pam://$HOSTNAME" is used.
32
32
33
33
*appid*=_appid_::
34
- Set the application ID for the U2F authentication
34
+ Set the application ID for the FIDO authentication
35
35
procedure. If no value is specified, the same value used for origin is
36
36
taken ("pam://$HOSTNAME" if also origin is not specified). This setting
37
- is only applicable for U2F credentials created with pamu2fcfg versions
37
+ is only applicable for FIDO credentials created with pamu2fcfg versions
38
38
v1.0.8 or earlier. Note that on v1.1.0 and v1.1.1 of pam-u2f, handling
39
39
of this setting was temporarily broken if the value was not the same as
40
40
the value of origin.
@@ -54,13 +54,14 @@ local user name (`PAM_USER`) and `%%` is expanded to `%`. Unknown expansion
54
54
sequences result in an authentication error. See also `openasuser`.
55
55
56
56
*authpending_file*=_file_::
57
- Set the location of the file that is used for touch request
58
- notifications. This file will be opened when pam-u2f starts waiting
59
- for a user to touch the device, and will be closed when it no longer
60
- waits for a touch. Use inotify to listen on these events, or a more
61
- high-level tool like yubikey-touch-detector. Default value:
62
- /var/run/user/$UID/pam-u2f-authpending. Set an empty value in order to
63
- disable this functionality, like so: "authpending_file=".
57
+ Set the location of the file that is used for touch request notifications. This
58
+ file will be opened when pam-u2f starts waiting for a user to touch the FIDO
59
+ authenticator, and will be closed when it no longer waits for a touch. Use
60
+ inotify to listen on these events, or a more high-level tool like
61
+ yubikey-touch-detector.
62
+ Default value: /var/run/user/$UID/pam-u2f-authpending.
63
+ Set an empty value in order to disable this functionality, like so:
64
+ "authpending_file=".
64
65
65
66
*nouserok*::
66
67
Set to enable authentication attempts to succeed even if the user
@@ -80,13 +81,13 @@ Set to enable all authentication attempts to succeed (aka presentation
80
81
mode).
81
82
82
83
*max_devices*=_n_devices_::
83
- Maximum number of devices (credentials) allowed per user (default is 24).
84
- Devices specified in the authorization mapping file that exceed this value
85
- will be ignored.
84
+ Maximum number of FIDO authenticators allowed per user (default is 24).
85
+ FIDO authenticators specified in the authorization mapping file that exceed
86
+ this value will be ignored.
86
87
87
88
*interactive*::
88
- Set to prompt a message and wait before testing the presence of a U2F
89
- device . Recommended if your device doesn't have tactile trigger.
89
+ Set to prompt a message and wait before testing the presence of a FIDO
90
+ authenticator . Recommended if your authenticator doesn't have tactile trigger.
90
91
91
92
*[prompt=your prompt here]*::
92
93
Set individual prompt message for interactive mode. Watch the square
96
97
*manual*::
97
98
Set to drop to a manual console where challenges are printed on screen
98
99
and response read from standard input. Useful for debugging and SSH
99
- sessions without U2F- support from the SSH client/server. If enabled,
100
+ sessions without FIDO support from the SSH client/server. If enabled,
100
101
interactive mode becomes redundant and has no effect.
101
102
102
103
*cue*::
103
- Set to prompt a message to remind to touch the device .
104
+ Set to prompt a message to remind to touch the FIDO authenticator .
104
105
105
106
*[cue_prompt=your prompt here]*::
106
107
Set individual prompt message for the cue option. Watch the square
107
108
brackets around this parameter to get spaces correctly recognized by
108
109
PAM.
109
110
110
111
*nodetect*::
111
- Skip detecting if a suitable key is inserted before performing a full
112
- authentication. See *NOTES* below.
112
+ Skip detecting if a suitable FIDO authenticator is inserted before performing a
113
+ full authentication. See *NOTES* below.
113
114
114
115
*userpresence*=_int_::
115
116
If 1, require user presence during authentication. If 0, do not
@@ -130,7 +131,7 @@ support for a FIDO2 PIN is required.
130
131
131
132
*sshformat*::
132
133
Use credentials produced by versions of OpenSSH that have support for
133
- FIDO devices . It is not possible to mix native credentials and SSH
134
+ FIDO authenticator . It is not possible to mix native credentials and SSH
134
135
credentials. Once this option is enabled all credentials will be parsed
135
136
as SSH.
136
137
@@ -210,8 +211,8 @@ determine that pam_u2f is part of the authentication stack by
210
211
inserting any random U2F token and performing an authentication
211
212
attempt. In this scenario, the attacker would see the cue message
212
213
followed by an immediate failure, whereas with detection enabled, the
213
- U2F authentication will fail silently. Understand that an attacker
214
- could choose a U2F token that alerts him or her in some way to the
214
+ authentication will fail silently. Understand that an attacker
215
+ could choose an authenticator that alerts him or her in some way to the
215
216
"check-only" authentication attempt, so this precaution only pushes
216
217
the issue back a step.
217
218
0 commit comments