Yubico Forum

Re: Yubikey, SSH and debian

2011-02-04T10:48:38+01:00

The process to generate a Client ID has changed since Jonix's entry above regarding YMS. Shamelessly copy-and-pasted from my reply this morning from yubico, this is the procedure you need to follow to generate a Client ID currently:

The Client ID aka Auth_ID is required for API Key. The API key is a symmetric key aimed at protecting the communication (creating a hash signature) on packets between the client and the Yubico Online Validation Service. When generating the key an API ID (also called a Client ID) is also generated at the same time and this ID is sent by the client to the server in the authentication request and acts as a reference for the Validation Service to find the right API key in the database to create a signature when sending the authentication (response) result back to the to the (dot net) client.

The key is simply generated from any YubiKey that you have. Follow the link https://upgrade.yubico.com/getapikey/ and enter a valid email address (mainly used as an internal reference in the database) and an OTP from one of the YubiKeys you received. The result page will show the generated Client ID (API ID) and the generated API key (Secret Key). Make a record of both and use these two values in corresponding libraries and modules. Wait 5 to 10 minutes after generating the key before testing so that the API key will be updated on all the servers in the Yubico Online Validation Service backend.

Hope this helps

Jim

Statistics: Posted by jimrippon — Fri Feb 04, 2011 10:48 am

Re: Yubikey, SSH and debian

2010-11-16T14:11:07+01:00

Thank you for creating the Patch! We appreciate your efforts to make the Yubico PAM more robust and useful!

Statistics: Posted by samir — Tue Nov 16, 2010 2:11 pm

Re: Yubikey, SSH and debian

2010-11-16T19:58:26+01:00

Just noticed an errant line in the above code.

Code:

      char *userfile = NULL;
      authfile = get_userfile(username);
      free(authfile);

should just be

Code:

authfile = get_userfile(username);

Copy & paste oversight...

Statistics: Posted by gsreynolds — Tue Nov 16, 2010 1:47 pm

Re: Yubikey, SSH and debian

2010-11-16T19:59:01+01:00

samir wrote:

Yubico PAM module does not currently support selective two or single factor authentication based on specific user IDs (only two factor authentication is supported for all users). Supporting this functionality is currently on Yubico's roadmap.

However, if you can make some simple changes to the Yubico PAM module then it would be possible to use the same Yubico PAM module to authenticate selective users based on Yubikey bindings i.e. if a user has YubiKey assigned, then it would require 2 factor auth. otherwise only user name and password will be sufficient to authenticate.

The changes are needed to be made in the logic where the Yubico PAM module looks for the YubiKey ID and Username binding. If no YubiKey ID and Username binding found for a user, then the Yubico PAM module should skip all checks and send the success signal to the underlying PAM modules.

We hope this helps!

Hi there,

Based on your suggestion I've created a patch for pam_yubico.c

Changelog

Added a check_user_in_auth_file function which is just check_user_token but with only the username checking, no token checking. This is called near the beginning of pam_sm_authenticate.
Moved user auth file path code from authorize_user_token to a new function get_userfile. This was so I could reuse it in check_user_in_auth_file.

New code in pam_sm_authenticate

Code:

  if (check_user_in_auth_file(cfg.auth_file, user) == 0)
    {
      DBG (("user not in auth file: %s", user));
      /* If user is not in auth file, skip all checks
       and send the success signal to the underlying PAM modules.
       Authentication will continue using the underlying PAM modules. */
      retval = PAM_SUCCESS;
      goto done;
    }

New functions in pam_yubico

Code:

/*
 * This function will return the file path to the authorized_yubikeys file in the
 * users home dir.
 */
static char*
get_userfile(const char *username)
{
  struct passwd *p;
  char *userfile = NULL;

  p = getpwnam(username);
  if (p)
    {
      userfile = malloc((p->pw_dir ? strlen(p->pw_dir) : 0) + strlen(USERFILE)
          + 1);
      if (!userfile)
        return NULL;

      strcpy(userfile, p->pw_dir);
      strcat(userfile, USERFILE);
    }
  return userfile;


}

/*
 * This function will check if a users name is present in the auth file. It
 * will return 0 for no and 1 for yes.
 */
static int
check_user_in_auth_file(const char *authfile, const char *username)
{
  char buf[1024];
  char *s_user;
  int retval = 0;
  FILE *opwfile;

  if (!authfile)
    {
      /* Getting file from user home directory
       ..... i.e. ~/.yubico/authorized_yubikeys
       */
       authfile = get_userfile(username);
    }

  opwfile = fopen(authfile, "r");
  if (opwfile == NULL)
    {
      D(("Cannot open file: %s", authfile));
      return retval;
    }

  while (fgets(buf, 1024, opwfile))
    {
      if (buf[strlen(buf) - 1] == '\n')
        buf[strlen(buf) - 1] = '\0';
      D(("Authorization line: %s", buf));
      s_user = strtok(buf, ":");
      if (s_user && strcmp(username, s_user) == 0)
        {
          D(("Matched user: %s", s_user));
          fclose(opwfile);
          return 1;
        }
    }

  fclose(opwfile);

  return 0;
}

I've tested this with the /etc/ authfile and it works as expected, though I've not tested with the user auth file - as far as I can see though the code should work for that.

Patch against latest version in the pam_yubico SVN is attached in a tar.gz (won't let me attach txt files, disallowed in phpBB config).

Statistics: Posted by gsreynolds — Tue Nov 16, 2010 1:40 pm

Re: Yubikey, SSH and debian

2010-11-16T10:18:13+01:00

Statistics: Posted by samir — Tue Nov 16, 2010 10:18 am

Re: Yubikey, SSH and debian

2010-11-15T12:19:23+01:00

I followed the above instructions, as well as the wiki article on how to set up Yubikey PAM for SSH and have a fully working system.

I have issued myself and 2 other users with Yubikeys, all of us having sudo on our machines. However, for regular users I don't want to give them Yubikeys, they should just be able to login with their username and password.

Unfortunately, I have found that users without Yubikeys cannot login, i.e. if they aren't in the /etc/yubikeyid file, they can't login.

Is there any way around this?

Thanks

Statistics: Posted by gsreynolds — Mon Nov 15, 2010 12:19 pm

Re: Yubikey, SSH and debian

2009-07-15T21:59:08+01:00

I found your post very useful.

Eventually, I found my problem corrected by doing the following to my CentOS vmware image:

Code:

Copy the pam_yubico.so module from “/usr/local/lib/security” to “/lib/security”

Thanks!

Statistics: Posted by displacedtexan — Wed Jul 15, 2009 9:59 pm

Re: Yubikey, SSH and debian

2009-02-06T11:52:45+01:00

Some descriptions of the term:

The magic number 16, AKA Client ID

In /etc/pam.d/sshd

Code:

auth required pam_yubico.so authfile=/etc/yubikeyid id=16 debug

the id variable is your Client ID. To get hold of the Client ID I needed to login to the Yubikey Managing System/YMS hosted by Yubico at URL https://api.yubico.com/yms/yubi_login.php.

Strip the Client- text from the ClientID and use that number in place of 16.

Getting access to Yubikey Management System:
To actually be able to login to the YMS system I needed to email yms@yubico.com, with detailed information of the purchase of my Yubikey + two sequentallly generated One Time Passwords (OTP) using the same e-mail address I used when I purchased my Yubikey

Once there, the client ID is displayed at the title bar as highlighted in the attached image.
8.JPG

The yubikey id file
In the file /etc/yubikeyid you define your system user-name you use which you use when normally logging in. The code after the colon-sign is the first 12 characters of your Yubikey One Time password

Code:

username:12 characters

Actually logging in to the SSH server
After all configurations are done you may to restart the SSH server. On my debian machine I used sudo /etc/init.d/ssh restart

After all that was done I logged in with
ssh username@hostname

Please observe that when SSH asked me for password, you need to first enter your regular password and then press the button on the Yubikey device. For the longest time I only used the OTP to try to authenticate, which got me a permission denied reply.

Debugging
To see if if the PAM module is working correctly and you have debug enabled in /etc/pam.d/sshd you might want to create a world writable log file

Code:

  
  touch /var/run/pam-debug.log 
  chmod go+w /var/run/pam-debug.log 

After a login attempt:

Code:

cat /var/run/pam-debug.log

After everything is good I would remove the debug from the /etc/pam.d/sshd file and restart SSH

If a single person is helped by this post, then I am very happy... For it has been a quite enfuriating experience to not realize that you need to enter the regular password and the OTP from Yubikey.

Statistics: Posted by Jonix — Fri Feb 06, 2009 11:52 am

Re: Yubikey, SSH and debian

2008-10-03T16:57:55+01:00

Thank you for all you help!! Its greatly appriciated as it can be hard to find help!

Also glad that I could be of help to further the project!

network-marvels wrote:

interesting that the “challenge-response passwords” is now set to no as the only reason I changed it was because it was something I had to do to get this to work before!?

But I am glad we have a fix!

Thank you again

Tim

Statistics: Posted by timm_tem — Fri Oct 03, 2008 4:57 pm

Re: Yubikey, SSH and debian

2008-10-03T16:34:35+01:00

We have downloaded the VMware image uploaded by you. There was a small configuration issue.

Please follow these steps to fix the issue:

Thanks for pointing out this issue! This has helped us to generalize Yubico PAM module configuration to work on more Linux flavors. We will update the Yubico PAM configuration document on the Google Code site to reflect these changes.

Statistics: Posted by network-marvels — Fri Oct 03, 2008 4:34 pm

Re: Yubikey, SSH and debian

2008-10-03T10:55:24+01:00

timm_tem wrote:

l
...
I used putty to ssh to my Yubikey test box

Password: (enter 'password' and touch the hgfujcchbnjg yubikey)
...
Tim

So I just wanted also to clarify this bit I type my username press enter then type my password press the yubikey and then the yubikey as such pressed enter on the password line for me?

do I understand this correctly?

is it not possible to have the username the password then the yubikey as 3 separate things? just for clarity in nothing else?

Thank you in advanced

Tim

Statistics: Posted by timm_tem — Fri Oct 03, 2008 10:55 am

Re: Yubikey, SSH and debian

2008-10-03T10:47:28+01:00

I did find one difference in my /etc/pam.d/sshd to yours

Code:

# Standard Un*x authorization.
@include common-account

In mine was commented out but I uncommented it but still no luck.

The error I get every time is.... not sure if this is relevant the "Using keyboard-interactive authentication"

Code:

debian:/home/timm#
login as: timm
Using keyboard-interactive authentication.
Password:
Access denied

Thank you again

Tim

Statistics: Posted by timm_tem — Fri Oct 03, 2008 10:47 am

Re: Yubikey, SSH and debian

2008-10-03T10:29:26+01:00

Thank you again the Image is avaliable at http://temsc.co.uk/uploads/Clone_of_Yubikey-PAM.zip

The passwords are root:yubikey and timm:yubikey1234

Thank you again I have no more ideas

Tim

Statistics: Posted by timm_tem — Fri Oct 03, 2008 10:29 am

Re: Yubikey, SSH and debian

2008-10-03T08:03:33+01:00

We would appreciate if you can upload VMware image. We will download it and try to figure out the problem.

Meanwhile, we have tested the Yubico PAM configuration on following test environment:

Statistics: Posted by network-marvels — Fri Oct 03, 2008 8:03 am

Re: Yubikey, SSH and debian

2008-10-02T18:10:48+01:00

network-marvels just want to say thank you for your quick response its much appreciated!! As I really want to make this work but I only use debian for my servers so it must work with debian before I can deploy it!!

So as you suggested my /etc/pam.d/common-auth now looks like this but there is no change

Code:

#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
# traditional Unix authentication mechanisms.
#
auth    required        pam_unix.so try_first_pass nullok_secure debug

I rebooted to be sure that everything loaded.

I am using VMware so if it a copy of my install would help them I can put it online for download?

Any more help would again be greatly appreciated.

Thank you

Tim

Statistics: Posted by timm_tem — Thu Oct 02, 2008 6:10 pm