Local Authentication Using Challenge Response with Yubikey for CentOS 7

Connect Yubikey  ,then initialize YubiKey slot 2:

ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible
...
Commit? (y/n) [n]: y

Create /var/yubico directory for challenge file.

sudo mkdir /var/yubico

sudo chown root.root /var/yubico
sudo chmod 700 /var/yubico
ykpamcfg -2 -v
...
Stored initial challenge and expected response in ‘$HOME/.yubico/challenge-123456‘.
sudo mv ~/.yubico/challenge-123456 /var/yubico/xiaoxiaoleo-123456
sudo chown root.root /var/yubico/xiaoxiaoleo-123456 sudo chmod 600 /var/yubico/xiaoxiaoleo-123456

TIPs: xiaoxiaoleo is the login user name.

add pam config before the first line /etc/pam.d/login:

auth   required        pam_yubico.so mode=challenge-response chalresp_path=/var/yubico

Add debug arg for debug infomation:

auth   required        pam_yubico.so mode=challenge-response debug chalresp_path=/var/yubico

Create yubico pam debug log file:

touch /var/run/pam-debug.log
chmod go+w /var/run/pam-debug.log

SELinux ERROR:

[pam_yubico.c:do_challenge_response(614)] Cannot open file: /var/yubico/test-5212345(No such file or   directory )

Error communicating with Yubikey,please check syslog or contact your system administrator

[pam_yubikco.c:display_error(425)] conv returned:‘(null)‘

[pam_yubico.c:do_challenge_response(673)] Challenge Response failed: No such file or directory

Create SELinux policy :

grep avc /var/log/audit/audit.log | audit2allow -M yubikey

module yubikey 1.0;

define(`r_file_perms‘, `{ getattr open read ioctl lock }‘)

require {

    type var_t;

    type local_login_t;

}

allow local_login_t var_t:file r_file_perms

Compile and install SELinux policy:

 checkmodule -M -m -o yubikey.mod yubikey.te
 semodule_package -o yubikey.pp -m yubikey.mod
 semodule -i yubikey.pp