Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 11:32 am

All times are UTC + 1 hour




Post new topic Reply to topic  [ 17 posts ]  Go to page Previous  1, 2
Author Message
PostPosted: Tue May 12, 2015 2:32 am 
Offline

Joined: Sat Jan 14, 2012 6:01 pm
Posts: 7
Can anyone help me understand how to do this without using challenge response? I need to use a static password. I wouldn't mind using challenge response but I'm already using the second slot for static password that I use with the encrypted disk. I've gotten it to work with lightdm-greeter, gnome-screensaver, the unity screensaver, and xscreensaver, but I can't get it to work with login. It crashes every time.


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Wed May 13, 2015 11:42 am 
Offline
Yubico Team
Yubico Team

Joined: Wed Aug 06, 2014 2:40 pm
Posts: 38
I don't get it. Static password mode just types the password exactly like a keyboard would.

Does the screensaver crash when the YubiKey types the password?


Top
 Profile  
Reply with quote  
PostPosted: Wed May 20, 2015 3:14 am 
Offline

Joined: Sat Jan 14, 2012 6:01 pm
Posts: 7
Never mind. I was able to switch my LUKS encryption to using yubikey-luks so I can use challenge response mode now.


Top
 Profile  
Reply with quote  
PostPosted: Sat Jan 14, 2017 10:39 am 
Offline

Joined: Sat Jan 14, 2017 10:33 am
Posts: 1
I went for something slightly different for /etc/pam.d/common-auth, and thought it might help some other folks too (I commented out the defaults just in case I wanted to go back to them).

Code:
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
# auth   [success=1 default=ignore]   pam_unix.so nullok_secure
auth  [success=done new_authtok_reqd=done default=ignore] pam_yubico.so mode=challenge-response
auth  sufficient      pam_unix.so nullok_secure try_first_pass

auth  requisite       pam_deny.so
auth  required        pam_permit.so
auth  optional        pam_ecryptfs.so unwrap

# here's the fallback if no module succeeds
# auth   requisite         pam_deny.so

# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
# auth   required         pam_permit.so

# and here are more per-package modules (the "Additional" block)

# end of pam-auth-update config


For my particular needs I went with "sufficient" for the challenge-response and password, instead of requiring just the Yubikey or both the Yubikey and the password. The reason being I wanted the option of using the Yubikey to speed things up, but being able to fallback to my password if need be. So if the challenge-response succeeds, the password isn't necessary (what I read to muddle through that: https://linux.die.net/man/5/pam.d).

You can also set it up to work with two different Yubikeys by running ykpamcfg -2 -v twice. I don't know for sure that you need to set them up with the same exact settings, but I was using the "Program Multiple Yubikeys" option to create a backup. So that may be something to keep in mind.

I do know that even if you duplicate all the settings across two different Yubikeys, you still need to run ykpamcfg -2 -v again, and then you'll have two challenge files in your ~/.yubico/ directory. So do *not* assume that if you programmed multiple Yubikeys that both will be able to authenticate via the same ~/.yubico/ challenge file. The advice in the documentation to keep a root terminal open until you're absolutely sure it's working is very advisable.

Interesting sidenote, if you have the above alternative setup, where either your password or your Yubikey can log you in, then all you need to do when the Yubikey is plugged in to unlock the screensaver is hit enter.

However, the sudo vi /etc/udev/rules.d/85-yubikey.rules bit still confuses me. Where/how are people looking up what exact *.yubikey-rules to use for their system? I've seen FAQs and documentation that uses 69, 70, 85, 99... with no clear explanation of how anyone found out which one they're supposed to use/create. Is it related to your udev version? Your OS? Your Yubikey? All of the above?


Top
 Profile  
Reply with quote  
PostPosted: Tue Jan 17, 2017 9:01 am 
Offline

Joined: Tue Jan 17, 2017 8:45 am
Posts: 1
Quick note for those of you who are using an Ubuntu variant (in my case Linux Mint 18) and using home folder encryption (note this is is in addition to home folder encryption). If you follow the steps in this guide you may not be able to log in at restart. This is because the home folder has not been decrypted yet. The solution is to follow the instructions here: https://developers.yubico.com/yubico-pa ... ponse.html

In a nutshell:
1) Create a folder where you'd like to store your config file (anywhere outside of ~/username will work.
2) Set Permissions of that folder to be sticky chmod +t /path/to/folder and chmod 777 /path/to/folder
3) Generate your key ykpamcfg -2 -v -p /path/to/folder

Next when you add the auth lines to the /etc/pam.d/common-auth make sure your challenge line looks like this:
Code:
auth   required        pam_yubico.so mode=challenge-response chalresp_path=/path/to/folder

The difference between this and the original is we are defining chalresp_path with our path.

That's it. I was banging my head against the wall and locked myself out of my computer a few times so thought I'd share.


Top
 Profile  
Reply with quote  
PostPosted: Sat Mar 04, 2017 10:16 pm 
Offline

Joined: Sat Mar 04, 2017 9:06 pm
Posts: 1
Hi,

I have this similar configuration, everything works fine except for the first time I login my machine, I can't use my yubikey but only the password.

Do you have the same issue ? I used this guide https://developers.yubico.com/yubico-pa ... ponse.html and I set the mode as `sufficient` instead of `required`

Thanks

cecoates wrote:
I went for something slightly different for /etc/pam.d/common-auth, and thought it might help some other folks too (I commented out the defaults just in case I wanted to go back to them).

Code:
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
# auth   [success=1 default=ignore]   pam_unix.so nullok_secure
auth  [success=done new_authtok_reqd=done default=ignore] pam_yubico.so mode=challenge-response
auth  sufficient      pam_unix.so nullok_secure try_first_pass

auth  requisite       pam_deny.so
auth  required        pam_permit.so
auth  optional        pam_ecryptfs.so unwrap

# here's the fallback if no module succeeds
# auth   requisite         pam_deny.so

# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
# auth   required         pam_permit.so

# and here are more per-package modules (the "Additional" block)

# end of pam-auth-update config


For my particular needs I went with "sufficient" for the challenge-response and password, instead of requiring just the Yubikey or both the Yubikey and the password. The reason being I wanted the option of using the Yubikey to speed things up, but being able to fallback to my password if need be. So if the challenge-response succeeds, the password isn't necessary (what I read to muddle through that: https://linux.die.net/man/5/pam.d).

You can also set it up to work with two different Yubikeys by running ykpamcfg -2 -v twice. I don't know for sure that you need to set them up with the same exact settings, but I was using the "Program Multiple Yubikeys" option to create a backup. So that may be something to keep in mind.

I do know that even if you duplicate all the settings across two different Yubikeys, you still need to run ykpamcfg -2 -v again, and then you'll have two challenge files in your ~/.yubico/ directory. So do *not* assume that if you programmed multiple Yubikeys that both will be able to authenticate via the same ~/.yubico/ challenge file. The advice in the documentation to keep a root terminal open until you're absolutely sure it's working is very advisable.

Interesting sidenote, if you have the above alternative setup, where either your password or your Yubikey can log you in, then all you need to do when the Yubikey is plugged in to unlock the screensaver is hit enter.

However, the sudo vi /etc/udev/rules.d/85-yubikey.rules bit still confuses me. Where/how are people looking up what exact *.yubikey-rules to use for their system? I've seen FAQs and documentation that uses 69, 70, 85, 99... with no clear explanation of how anyone found out which one they're supposed to use/create. Is it related to your udev version? Your OS? Your Yubikey? All of the above?


Top
 Profile  
Reply with quote  
PostPosted: Tue Mar 21, 2017 6:29 pm 
Offline

Joined: Tue Mar 21, 2017 6:26 pm
Posts: 1
Hey guys,
If any of you are having issues getting this to work with the yubikey 4, i noticed on Linux Mint (so probably ubuntu too) that the yubikey now shows up as "Yubico.com" so you'll need to modify the /usr/local/bin/yubico script to grep for 'Yubico.com' not 'Yubikey'

Cheers!


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 17 posts ]  Go to page Previous  1, 2

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 0 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group