Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 7:39 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 6 posts ] 
Author Message
PostPosted: Fri Feb 20, 2009 8:58 pm 
Offline

Joined: Fri Feb 20, 2009 7:38 am
Posts: 4
I wish to use my recently purchased Yubikey to authenticate against my home ssh server.
I have been using PubkeyAuthentication and have my Debian ssh server configured to NOT allow username/password pair logins but to require an attempted authentication to match up with a pre-existing account which has the connecting users pubkey in their authenticated_keys2 file.
I wish to on top of this have it prompt me for a OTP Yubikey password.
So I wish to use my Yubikey in addition to this WITHOUT supplying my normal /etc/shadow password at login time.
CAN THIS BE DONE? And if so HOW?

Thank you in advance to anyone who can direct me on this.

PS The why I would want to do this is because I often times login to my home server on occasion from work from my assigned work laptop or desktop and do not wish to implicitly trust that there is no key logger running on the machine which a OTP prompt would defeat as I understand it.


Last edited by coniptor on Tue Feb 24, 2009 7:50 am, edited 1 time in total.

Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Sun Feb 22, 2009 12:30 am 
Offline

Joined: Fri Feb 20, 2009 7:38 am
Posts: 4
I have tried to setup the configuration I spoke of before.
It would seam that PubkeyAuthentication within openssh currently overrides any other authentication methods so to accomplish what I want would likely require a patch to openssh which I don't have the expertise to wright my self.
So forgoing that for the time it would seem I can leave PubkeyAuthentication enabled and must ensure my client is not using pageant if putty or I am using -a with ssh if I have a key loaded locally with ssh-add/ssh-agent to get the prompt:

Yubikey for `coniptor':

I've read conflicting information in a couple of posts concerning this.
I'm running Debian Etch with the latest errata/security updates applied.
I had to modify /etc/pam.d/ssh not /etc/pam.d/sshd for Debian.

I had to ENABLE: "ChallengeResponseAuthentication yes" in /etc/ssh/sshd_config to get the Yubikey prompt listed above.
Regardless of if I have PasswordAuthentication set to no or yes I am unable to authenticate at the Yubikey prompt and this applies whether or not PubkeyAuthentication is enabled or disabled in sshd_config.

Again to note I DO NOT want PasswordAuthentication enabled EVER and would be quite content and happy if pam_yubico.so didn't try to do ANYTHING AT ALL with /etc/shadow.
I do not want /etc/shadow on my system checked during login unless I'm at the physical console.

I have the id= set to what my client id is listed as at the api.yubico.com site once logged in.
I have my yubikey id set in /etc/yubikeyid and in ~/.yubico/authorized_yubikeys for my normal login.
I have tried authentication with /etc/yubikeyid and .yubico/authorized_yubikeys readable only by user and by ugo without success.

I have both auth required lines enabled in /etc/pam.d/ssh for admin and regular access and have also tried it with just admin and just user enabled still with no success.

If I ssh in with Pubkey auth I do not get a debug message on my regular account login but receive two debug messages in a row when I ssh from my regular account to my root account like below:
[pam_yubico.c:pam_sm_setcred(561)] called.
[pam_yubico.c:pam_sm_setcred(561)] called.
Which is not completely helpfull.
In addition /var/run/pam-debug.log which has user group and world/other read write never shows ANY changes still zero length.
I have verifed with tshark that my system is even trying to validate at the url:
http://api.yubico.com/wsapi/verify?id=%d&otp=%s
which it is so I know the pam_yubico.so library is contacting the site for authentication and not being validated.

I would sincerely appreciate help from anyone else who has managed to get this working in Debian.
Thanks in advance to anyone who can help. :D


Top
 Profile  
Reply with quote  
PostPosted: Sun Feb 22, 2009 6:28 am 
Offline

Joined: Fri Feb 20, 2009 7:38 am
Posts: 4
Ok I determined what my issue was authenticating.
I can keep PubkeyAuthentication enabled with PasswordAuthentication enabled and ChallengeResponseAuthentication disabled like:
PubkeyAuthentication yes
PasswordAuthentication yes
ChallengeResponseAuthentication no

What I had to change to get it working was to enable ONLY one of the auth required lines in /etc/pam.d/ssh
either admin managed under /etc/yubikeyid or user managed in ~/.yubico/authorized_yubikeys.
This is covered in thread: http://forum.yubico.com/viewtopic.php?f=6&t=191&hilit=ssh
where it covers the debian way of modifying /etc/pam.d/ssh where it denotes:
## YubiKey Config
# Administrative Level
auth required pam_yubico.so authfile=/etc/yubikeyid id=16 debug
#OR
# User Level
# auth required pam_yubico.so id=16 debug

However with this configuration I either authenticate with my pubkey setup which means I have to trust a computer I ssh from either decrypting my private key with password which allows a key logger to nab my password and retrieve my key from memory possibly OR login with out pubkey and have to provide my login accounts password plus the yubikey OTP.
I would prefer just entering the OTP and using Pubkey together without having to enter the accounts local password.

Something like this was mentioned in thread: http://forum.yubico.com/viewtopic.php?f=5&t=174&hilit=yubikeyonly
I recursively grepped through both pam_yubico-1.11 and the subversion pulled yubico-pam for option yubikeyonly which was mentioned in the below bullet point but could not find it.
+ If you don't plan to use two-factor authentication (a user-entered PIN/password, in addition to the yubikey output), add yubikeyonly=1 to the pam_yubico.so line.

I would very much like to see this option return and work with ChallengeResponseAuthentication with the:
Yubikey for 'username': prompt.
That is if it really did ever exist or even if it did not I would like to see it added.

In the meantime I can create an account specifically for remote login with disabled local login I suppose.


Last edited by coniptor on Tue Feb 24, 2009 7:47 am, edited 1 time in total.

Top
 Profile  
Reply with quote  
PostPosted: Sun Feb 22, 2009 7:17 am 
Offline

Joined: Fri Feb 20, 2009 7:38 am
Posts: 4
I found another post regarding pam-debug.log being in /tmp and not /var/run.
Once I also added debug in /etc/pam.d/common-auth I found it was logging debug information to /tmp/pam-debug.log


Top
 Profile  
Reply with quote  
PostPosted: Mon Feb 23, 2009 4:27 pm 
Offline
Yubico Team
Yubico Team

Joined: Wed Oct 01, 2008 8:11 am
Posts: 210
We are working on the issue and we will update you soon.


Top
 Profile  
Reply with quote  
PostPosted: Fri Feb 27, 2009 3:32 pm 
Offline
Yubico Team
Yubico Team

Joined: Wed Oct 01, 2008 8:11 am
Posts: 210
It seems that the PubkeyAuthentication overrides the other authentication methods and as you correctly mentioned would require a patch for OpenSSH to achieve the OpenSSH authentication you desire.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 6 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group