We have spent some time setting up a pilot infrastructure to incorporate Yubikeys in our RHEL environment, in particular:
- We wanted our own validation and KSM services
- The first objective was to improve SSH authentication
- We wanted to use PAM
- We use Kerberos 5 (and AFS)
- Our SSH servers run a RHEL5 variant
- Our own root CA should be able to issue x509 certificates for the validation and KSM servers
- We need to plan a smooth transition from our users to gradually introduce Yubikeys
- Users should be able to import to create/import their AES key to the system
We had to make some modifications to the code, mainly pam_yubico and ykclient, which has been submitted to Yubico.
Our pilot is finally working, and we are in the process of documenting our experience:
https://twiki.cern.ch/twiki/bin/view/Main/YubikeysWe thought it may be of some help for others.
Romain.
Login
FAQ
Search
