yubikey client dependency in FR 3.0
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Wed Jul 17 23:30:08 CEST 2013
On 17 Jul 2013, at 21:43, John Dennis <jdennis at redhat.com> wrote:
> Hi Arran:
>
> I figured you would know this because your name seems to be all over the
> ykclient git repo :-)
Yes :).
> I noticed when trying to build FR 3.0 that some of the yubikey modules
> are being skipped because of a failed dependency.
>
> configure: WARNING: libykclient missing ykclient_request_process. A
> later version of libykclient is required.
> configure: WARNING: silently building without yubicloud support.
> requires: ykclient
>
> Our ykclient is at version 2.7 and it looks like it hasn't been updated
> in over a year.
>
> What version of ykclient is required?
One that has the ykclient_request_process symbol ;)
I believe those changes got rolled in ykclient-2.10.
https://github.com/Yubico/yubico-c-client/archive/ykclient-2.10.tar.gz
>
> Is disabling of yubicloud support a serious determent or just a
> nice-have feature?
It depends. rlm_yubikey can decode yubikey token codes locally
(using yubico-c), or it can send them off to validation server
(using ykclient).
For simple setups/admins ykclient allows you to use yubico's yubicloud
validation servers which have a nice web GUI, and require little
configuration.
There's a bit more work if you want to manage your tokens locally, you need
to store replay counter values in a database for example, and manage the
pre-shared aes-keys, but if it saves you $$$ then honestly it's not that
complicated.
> Do you know the Fedora maintainer for ykclient? Do we need to give them
> a prod to get a more current version of ykclient packaged?
No, unfortunately not. CCing Simon Josefsson who may...
-Arran
Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team
More information about the Freeradius-Devel
mailing list