Info about rlm_yubikey

Arran Cudbard-Bell a.cudbardb at
Tue Feb 17 19:15:26 CET 2015

> On 17 Feb 2015, at 08:54, Stefano Cailotto [EDALab] <stefano.cailotto at> wrote:
> Hello Arran,
> excuse me if I write you directly but I'd need some information asap (due to a customer pressing me).

CCing this to FreeRADIUS users, just in case this might help someone.

> My situation is as follows:
> I've a FreeRadius (FR) server using OpenLDAP as a backend, containing also yubikeys for users (
> 2Factor Authentication works perfectly in Linux,as users are prompted for Yubikey OTP and then for their ldap passwd.
> I'm trying rlm_yubikey on FR 3.0.6 and a Cisco Router.
> I can autheniticate users using yubikey module (passing ldap passwd+otp when prompted for password).
> What I can't do is to bind one or more yubikey to a user as it happens for example with pam_yubico (verified also for Linux auth through pam) or rlm-yubico module (I read there's a parameter "Place username → YubiKey mappings in /etc/yubico/rlm/ykmapping" in the doc). At the moment, a user can authenticate with his/her passwd and any valid Yubikey (i.e. validated by Yubico Validation Server).
> I tried also with pam (yubico+ldap), but it seems the pam_yubico module is passed the username as OTP.
> So, my final question (sorry to be very verbose) is:
> Is there a way to map yubikey(s) <-> users with rlm_yubikey?

Yes. Read the Yubikey config file etc/raddb/yubikey. It documents all the attributes available.

The request flow would be something like:

authorize {
	if (ok) {
		update control {
			Auth-Type := yubikey

authenticate {
	auth-type yubikey {
		yubikey # does decryption of the key
		ldap	# authenticates the user, retrieves key binding attributes,
			# puts them in control:Yubikey-Private-Id

post-auth {
	if (&Yubikey-Private-Id != &control:Yubikey-Private-ID[*]) {
		update reply {
			Reply-Message := "Token not allowed for use by user %{User-Name}"

In the ldap config file, uncomment valuepair_attribute.

In LDAP add radiusAttribute values in the format:

radiusAttribute: control:Yubikey-Private-ID+='<modhex>'

For that attribute to be available you'll need to have loaded the FreeRADIUS schema:

and added objectClass: radiusProfile to the user objects.

Or you can use your own attribute instead of radiusAttribute if that's easier. It's all configurable.

If you want to do dynamic binding, that's possible too. Just use the Post-Auth stuff in rlm_ldap to
update the directory. Use slapo-constraint to prevent the same ID being added multiple times (or not
if you want multiple users to share a key).

Binding isn't a magical feature. The rlm_yubikey module was written to support multiple user scenarios,
that's why all the extracted info is exposed as attributes. They're available for you to implement
whatever local restrictions and policies you want.


Arran Cudbard-Bell <a.cudbardb at>
FreeRADIUS development team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 872 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <>

More information about the Freeradius-Users mailing list