Yubikeys as a 2nd factor for SSH auth with a different KSM

2010-10-13T10:36:52+01:00

We have spent some time setting up a pilot infrastructure to incorporate Yubikeys in our RHEL environment, in particular:
- We wanted our own validation and KSM services
- The first objective was to improve SSH authentication
- We wanted to use PAM
- We use Kerberos 5 (and AFS)
- Our SSH servers run a RHEL5 variant
- Our own root CA should be able to issue x509 certificates for the validation and KSM servers
- We need to plan a smooth transition from our users to gradually introduce Yubikeys
- Users should be able to import to create/import their AES key to the system

We had to make some modifications to the code, mainly pam_yubico and ykclient, which has been submitted to Yubico.

Our pilot is finally working, and we are in the process of documenting our experience:
https://twiki.cern.ch/twiki/bin/view/Main/Yubikeys

We thought it may be of some help for others.

Romain.

Statistics: Posted by romain — Wed Oct 13, 2010 10:36 am

Yubico Forum

Yubikeys as a 2nd factor for SSH auth with a different KSM