Will this by chance work with CentOS as well? (I have a CentOS based web server I host on so that is why I ask).
| Yubico Forum https://forum.yubico.com/ |
|
| [HOW TO] - Yubikey SSH login via PAM module https://forum.yubico.com/viewtopic.php?f=23&t=822 |
Page 1 of 2 |
| Author: | Vlastimil Ovčáčík [ Mon Jun 04, 2012 2:10 pm ] |
| Post subject: | [HOW TO] - Yubikey SSH login via PAM module |
Requirement: Ubuntu 12.04 or Debian Wheezy & Yubikey standard. Description: This is quick tutorial on how to setup yubikey auth for SSH login in Ubuntu and Debian. It slightly extends official how-to. OS: Ubuntu 12.04(Precise Pangolin) (ami-e1e8d395) 1. Prerequisites Code: sudo apt-get install libpam-yubico libykclient3 2. Check installation Make sure `ls -la /lib/security/pam_yubico.so` exist. 3. Linking user to yubikey edit/create /home/ubuntu/.yubico/authorized_yubikeys file and add: Code: ubuntu:ccccccbdefgh ubuntu is username and ccccccbdefgh is yubikey ID. If this ssh-like approach does not work for you, see this for alternatives. 4. Edit pam.d config file `/etc/pam.d/sshd` add (at the beginning): Code: auth required pam_yubico.so id=2458 key=ure8aX7mdExlmO0q44idqEICIuE= url=http://api.yubico.com/wsapi/2.0/verify?id=%d&otp=%s If you use required option: user's account password has to be set and typed with yubikey upon login (i.e. two factor auth). If sufficient is used: user's account password is not required (i.e. one factor auth). Get your own API ID and KEY, the values in the example above are faked. 5. Edit sshd config file `/etc/ssh/sshd_config` Code: PermitEmptyPasswords no ChallengeResponseAuthentication yes UsePAM yes
7. Restart sshd Quote: restart ssh 8. Test if it works. |
|
| Author: | medfordite [ Sun Jan 20, 2013 6:55 am ] |
| Post subject: | Re: Yubikey SSH login via PAM module |
Will this by chance work with CentOS as well? (I have a CentOS based web server I host on so that is why I ask).
|
|
| Author: | Tom [ Mon Jan 21, 2013 10:37 am ] |
| Post subject: | Re: Yubikey SSH login via PAM module |
Thank you for your post. This goes sticky. |
|
| Author: | moulip [ Tue Jan 29, 2013 3:46 pm ] |
| Post subject: | Re: [HOW TO] - Yubikey SSH login via PAM module |
It does not work as expected. I have setup everything the same way as explained, and when connecting I am asked for the Yubikey and the password. I have setup the pam.d/sshd with sufficient and altered the sshd_config as explained and nothing. I am still prompted with the password. And what's worse is that if I press enter at the yubikey prompt, it goes straight to the password ! I am searching how my security level is increased here. |
|
| Author: | Tom [ Wed Jan 30, 2013 11:06 am ] |
| Post subject: | Re: [HOW TO] - Yubikey SSH login via PAM module |
Just a curiosity, do you encrypt your /home/user_with_yubikey ? because in that config, you would not be able to read the authorized_yubikey file. I will try the suggested configuration in this post to check if it works when i'll have 5 minute. |
|
| Author: | Tom [ Wed Jan 30, 2013 1:55 pm ] |
| Post subject: | Re: [HOW TO] - Yubikey SSH login via PAM module |
I have tested the "one factor" and it works on Ubuntu 12.10  if you want to use challenge response mode then follow this tutorial: https://github.com/Yubico/yubico-pam/wi ... geResponse |
|
| Author: | moulip [ Fri Feb 01, 2013 12:10 pm ] |
| Post subject: | Re: [HOW TO] - Yubikey SSH login via PAM module |
You mean that in order for the SSH login to work without asking password, the Yubikey must be setup in challenge-response mode ? |
|
| Author: | Tom [ Fri Feb 01, 2013 1:11 pm ] |
| Post subject: | Re: [HOW TO] - Yubikey SSH login via PAM module |
No. You can authenticate yourself locally [challenge-response] or via the Internet using YubiClous service for example. If you choose to authenticate against the YubiCloud you need the YubicoOTP ( the one configured in slot 1 by default ) If you choose to authenticate locally then you configure slot 2 of your Yubikey in challenge response mode ( following the other tutorial ) The password prompt depends on how you configure sshd / pam |
|
| Author: | moulip [ Fri Feb 01, 2013 2:11 pm ] |
| Post subject: | Re: [HOW TO] - Yubikey SSH login via PAM module |
I have strictly followed the howtos and I am still prompted for the password. I don't know what to do more. |
|
| Author: | Tom [ Fri Feb 01, 2013 3:45 pm ] |
| Post subject: | Re: [HOW TO] - Yubikey SSH login via PAM module |
I am sorry moulip, i have posted a screenshot showing that it correctly works with only ONE factor. Just the Yubikey OTP without password. What i can suggest you, is to install a virtual machine with Ubuntu 12.10, and try again from scratch. 1) Do not set up encrypted home folder. 2) Check that the virtual machine can connect to the internet to validate the OTP 3) Try reading the tutorial bottom-up, this may unlock some words that you missed, it happens. |
|
| Page 1 of 2 | All times are UTC + 1 hour |
| Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |
|