debug
Enables debug output
debug_file
Filename to write debugging messages to. If this file
is missing, nothing will be logged. This regular file has to be created
by the user or must exist and be a regular file for anything
getting logged to it. It is not created by pam-u2f on purpose (for security
considerations). This filename may be alternatively set to "stderr"
(default), "stdout", or "syslog".
origin=origin
Set the origin for the U2F authentication procedure. If
no value is specified, the origin "pam://$HOSTNAME" is used.
appid=appid
Set the application ID for the U2F authentication
procedure. If no value is specified, the same value used for origin is taken
("pam://$HOSTNAME" if also origin is not specified).
authfile=file
Set the location of the file that holds the mappings of
user names to keyHandles and user keys. The format is
username:keyHandle1,public_key1:keyHandle2,public_key2:... the default
location of the file is $XDG_CONFIG_HOME/Yubico/u2f_keys. If the environment
variable is not set, $HOME/.config/Yubico/u2f_keys is used. An individual (per
user) file may be configured relative to the users' home dirs, i.e.
".ssh/u2f_keys".
authpending_file=file
Set the location of the file that is used for touch
request notifications. This file will be opened when pam-u2f starts waiting
for a user to touch the device, and will be closed when it no longer waits for
a touch. Use inotify to listen on these events, or a more high-level tool like
yubikey-touch-detector. Default value: /var/run/user/$UID/pam-u2f-authpending.
Set an empty value in order to disable this functionality, like so:
"authpending_file=".
nouserok
Set to enable authentication attempts to succeed even if
the user trying to authenticate is not found inside authfile or if authfile is
missing/malformed.
openasuser
Setuid to the authenticating user when opening the
authfile. Useful when the user’s home is stored on an NFS volume
mounted with the root_squash option (which maps root to nobody which will not
be able to read the file). Note that after release 1.0.8 this is done by
default when no global authfile or XDG_CONFIG_HOME environment variable has
been set.
alwaysok
Set to enable all authentication attempts to succeed (aka
presentation mode).
max_devices=n_devices
Maximum number of devices allowed per user (default is
24). Devices specified in the authentication file that exceed this value will
be ignored.
interactive
Set to prompt a message and wait before testing the
presence of a U2F device. Recommended if your device doesn’t have
tactile trigger.
[prompt=your prompt here]
Set individual prompt message for interactive mode. Watch
the square brackets around this parameter to get spaces correctly recognized
by PAM.
manual
Set to drop to a manual console where challenges are
printed on screen and response read from standard input. Useful for debugging
and SSH sessions without U2F-support from the SSH client/server. If enabled,
interactive mode becomes redundant and has no effect.
cue
Set to prompt a message to remind to touch the
device.
[cue_prompt=your prompt here]
Set individual prompt message for the cue option. Watch
the square brackets around this parameter to get spaces correctly recognized
by PAM.
nodetect
Skip detecting if a suitable key is inserted before
performing a full authentication. See NOTES below.
userpresence=int
If 1, require user presence during authentication. If 0,
do not request user presence during authentication. Otherwise, fallback to the
authenticator’s default behaviour.
userverification=int
If 1, require user verification during authentication. If
0, do not request user verification during authentication. Otherwise, fallback
to the authenticator’s default behaviour.
pinverification=int
If 1, require PIN verification during authentication. If
0, do not request PIN verification during authentication. Otherwise, fallback
to the authenticator’s default behaviour.