Yubico Forum
https://forum.yubico.com/

[HOW TO] - Yubikey SSH login via PAM module
https://forum.yubico.com/viewtopic.php?f=23&t=822
Page 1 of 2

Author:  Vlastimil Ovčáčík [ Mon Jun 04, 2012 2:10 pm ]
Post subject:  [HOW TO] - Yubikey SSH login via PAM module

Requirement: Ubuntu 12.04 or Debian Wheezy & Yubikey standard.

Description: This is quick tutorial on how to setup yubikey auth for SSH login in Ubuntu and Debian. It slightly extends official how-to. OS: Ubuntu 12.04(Precise Pangolin) (ami-e1e8d395)

1. Prerequisites
Code:
sudo apt-get install libpam-yubico libykclient3


2. Check installation
Make sure `ls -la /lib/security/pam_yubico.so` exist.

3. Linking user to yubikey
edit/create /home/ubuntu/.yubico/authorized_yubikeys file and add:
Code:
ubuntu:ccccccbdefgh

ubuntu is username and ccccccbdefgh is yubikey ID. If this ssh-like approach does not work for you, see this for alternatives.

4. Edit pam.d config file `/etc/pam.d/sshd`
add (at the beginning):
Code:
auth       required     pam_yubico.so id=2458 key=ure8aX7mdExlmO0q44idqEICIuE= url=http://api.yubico.com/wsapi/2.0/verify?id=%d&otp=%s

If you use required option: user's account password has to be set and typed with yubikey upon login (i.e. two factor auth).
If sufficient is used: user's account password is not required (i.e. one factor auth).
Get your own API ID and KEY, the values in the example above are faked.


5. Edit sshd config file `/etc/ssh/sshd_config`

Code:
PermitEmptyPasswords no
ChallengeResponseAuthentication yes
UsePAM yes


  1. One factor auth - yubikey only, passwords disabled
    pam_yubico.so is sufficient and:
    Code:
    PasswordAuthentication no

  2. One factor auth - yubikey OR password
    pam_yubico.so is sufficient and:
    Code:
    PasswordAuthentication yes

  3. Two factor auth - yubikey AND password
    pam_yubico.so is required and:
    Code:
    PasswordAuthentication yes

7. Restart sshd
Quote:
restart ssh


8. Test if it works.

Author:  medfordite [ Sun Jan 20, 2013 6:55 am ]
Post subject:  Re: Yubikey SSH login via PAM module

Will this by chance work with CentOS as well? (I have a CentOS based web server I host on so that is why I ask). :)

Author:  Tom [ Mon Jan 21, 2013 10:37 am ]
Post subject:  Re: Yubikey SSH login via PAM module

Thank you for your post.

This goes sticky.

Author:  moulip [ Tue Jan 29, 2013 3:46 pm ]
Post subject:  Re: [HOW TO] - Yubikey SSH login via PAM module

It does not work as expected.
I have setup everything the same way as explained, and when connecting I am asked for the Yubikey and the password.
I have setup the pam.d/sshd with sufficient and altered the sshd_config as explained and nothing. I am still prompted with the password.
And what's worse is that if I press enter at the yubikey prompt, it goes straight to the password !
I am searching how my security level is increased here.

Author:  Tom [ Wed Jan 30, 2013 11:06 am ]
Post subject:  Re: [HOW TO] - Yubikey SSH login via PAM module

Just a curiosity, do you encrypt your /home/user_with_yubikey ?

because in that config, you would not be able to read the authorized_yubikey file.

I will try the suggested configuration in this post to check if it works when i'll have 5 minute.

Author:  Tom [ Wed Jan 30, 2013 1:55 pm ]
Post subject:  Re: [HOW TO] - Yubikey SSH login via PAM module

I have tested the "one factor" and it works on Ubuntu 12.10

Image


if you want to use challenge response mode then follow this tutorial:
https://github.com/Yubico/yubico-pam/wi ... geResponse

Author:  moulip [ Fri Feb 01, 2013 12:10 pm ]
Post subject:  Re: [HOW TO] - Yubikey SSH login via PAM module

You mean that in order for the SSH login to work without asking password, the Yubikey must be setup in challenge-response mode ?

Author:  Tom [ Fri Feb 01, 2013 1:11 pm ]
Post subject:  Re: [HOW TO] - Yubikey SSH login via PAM module

No. You can authenticate yourself locally [challenge-response] or via the Internet using YubiClous service for example.

If you choose to authenticate against the YubiCloud you need the YubicoOTP ( the one configured in slot 1 by default )
If you choose to authenticate locally then you configure slot 2 of your Yubikey in challenge response mode ( following the other tutorial )

The password prompt depends on how you configure sshd / pam

Author:  moulip [ Fri Feb 01, 2013 2:11 pm ]
Post subject:  Re: [HOW TO] - Yubikey SSH login via PAM module

I have strictly followed the howtos and I am still prompted for the password. I don't know what to do more.

Author:  Tom [ Fri Feb 01, 2013 3:45 pm ]
Post subject:  Re: [HOW TO] - Yubikey SSH login via PAM module

I am sorry moulip, i have posted a screenshot showing that it correctly works with only ONE factor. Just the Yubikey OTP without password.

What i can suggest you, is to install a virtual machine with Ubuntu 12.10, and try again from scratch.

1) Do not set up encrypted home folder.
2) Check that the virtual machine can connect to the internet to validate the OTP
3) Try reading the tutorial bottom-up, this may unlock some words that you missed, it happens.

Page 1 of 2 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/