yubikey client dependency in FR 3.0

Arran Cudbard-Bell a.cudbardb at freeradius.org
Wed Jul 17 23:30:08 CEST 2013

On 17 Jul 2013, at 21:43, John Dennis <jdennis at redhat.com> wrote:

> Hi Arran:
> I figured you would know this because your name seems to be all over the
> ykclient git repo :-)

Yes :).

> I noticed when trying to build FR 3.0 that some of the yubikey modules
> are being skipped because of a failed dependency.
> configure: WARNING: libykclient missing ykclient_request_process. A
> later version of libykclient is required.
> configure: WARNING: silently building without yubicloud support.
> requires: ykclient
> Our ykclient is at version 2.7 and it looks like it hasn't been updated
> in over a year.
> What version of ykclient is required?

One that has the ykclient_request_process symbol ;)

I believe those changes got rolled in ykclient-2.10.


> Is disabling of yubicloud support a serious determent or just a
> nice-have feature?

It depends. rlm_yubikey can decode yubikey token codes locally 
(using yubico-c), or it can send them off to validation server 
(using ykclient). 

For simple setups/admins ykclient allows you to use yubico's yubicloud
validation servers which have a nice web GUI, and require little 

There's a bit more work if you want to manage your tokens locally, you need
to store replay counter values in a database for example, and manage the
pre-shared aes-keys, but if it saves you $$$ then honestly it's not that 

> Do you know the Fedora maintainer for ykclient? Do we need to give them
> a prod to get a more current version of ykclient packaged?

No, unfortunately not. CCing Simon Josefsson who may...


Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team

More information about the Freeradius-Devel mailing list