Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 10:10 am

All times are UTC + 1 hour




Post new topic Reply to topic  [ 17 posts ]  Go to page 1, 2  Next
Author Message
PostPosted: Thu Aug 22, 2013 2:43 pm 
Offline

Joined: Thu Aug 22, 2013 1:18 pm
Posts: 2
Summary:
Requirements:
OS: Linux Mint 15 (Cinnamon) | Works on other Debian based distro's, remember to change your screensaver command this might be different depending on the distro
Yubikey: Yubikey II

Description:
This is a Short guide on how to get your Yubikey to work on Linux (Debian based) with the option to lock/unlock your screen using your Yubikey.

Features:
* Login with Yubikey + password required
* Screen unlocking by just inserting your Yubikey (only works after already beeing logged into the system)
* Single Udev rule to fire up a single script
* No screen flickering when using sudo commands, it will check if the key is physically removed rather then a challenge-response trigger.
* Using your Yubikey serial, this prevents others users to unlock the system with their Yubikey.

Tutorial:

Install the following packages:

Code:
sudo apt-get install libpam-yubico
sudo apt-get yubikey-personalization


Execute the following command for the users you want to be able to login (Using the Yubikey + password combination):

Code:
mkdir ~/.yubico
ykpamcfg -2 -v


This should create a file in ~/.yubico/challenge-XXXXXX

Make sure you also do this for your root user!

DOUBLE CHECK THIS!

Edit your pam.d auth file:
Backup your current common-auth file:
Code:
sudo cp /etc/pam.d/common-auth /etc/pam.d/common-auth.BAK

sudo vi /etc/pam.d/common-auth (Note might be different when using another distro!)


My common-auth file:
Code:
# Use this to use both your password + Yubikey. You can comment this line if you want to JUST use your Yubikey (NOT RECCOMENDED)
auth required pam_unix.so nullok_secure try_first_pass

# The line below is required to be able to use your Yubikey
auth   [success=1 new_authtok_reqd=ok default=die ignore=ignore]   pam_yubico.so mode=challenge-response

# Default rules
auth   requisite         pam_deny.so
auth   required         pam_permit.so
auth   optional         pam_ecryptfs.so unwrap
auth   optional         pam_cap.so


IMPORTANT:
Check if your Yubikey is working open a new Terminal shell:
Code:
sudo su -


Try executing this with and without the Yubikey, when the Yubikey is removed you should NOT be able to login!
Only continue if this works. if it doesn't work double check your common-auth file before continueing.

Yubikey screen lock/unlock:
Create a udev rule to run a script if the Yubikey is inserted, changed or removed:

Get your Yubikey serial (To prevent other users for unlocking your screen):
Code:
udevadm monitor --environment --udev


now insert or remove your Yubikey!

look for a line like this:
Code:
ID_SERIAL_SHORT=0001711399

Copy or write your serial down!
(Double check your ID_MODEL_ID with the above step, this should be 0010 if your using the same model as me)

sudo vi /etc/udev/rules.d/85-yubikey.rules (Double check 85 is the correct rule number for your distro)

insert the following:
Code:
# Yubikey Udev Rule: running a bash script in case your Yubikey is inserted, removed or triggered by challenge-response
ACTION=="remove|add|change", ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}=="0010", ENV{ID_SERIAL_SHORT}=="0001711399", RUN+="/usr/local/bin/yubikey"

Change the following:
ENV{ID_SERIAL_SHORT}=="0001711399" with your own serial number found in the step above

now create the actual bash script:
Code:
sudo vi /usr/local/bin/yubikey


Insert the followig code:
Code:
#!/bin/bash
# Double checking if the Yubikey is actually removed, Challenge-Response won't trigger the screensaver this way.
USERNAME="joost"
result=$(lsusb | grep -e "Yubikey")

if [ $? -ne 0 ]; then
        logger "YubiKey Removed or Changed"
        # Running the Cinnamon screensaver lock command
        /bin/su $USERNAME -c "DISPLAY=:0 /usr/bin/cinnamon-screensaver-command --lock"
else
        # Running the Cinnamon screensaver unlock command
        logger "YubiKey Found, Unlocking screensaver if found"
        /bin/su $USERNAME -c "DISPLAY=:0 /usr/bin/cinnamon-screensaver-command -d"
fi

Make sure you change your user name (mine is joost):
USERNAME="YOURUSERNAME"

IMPORTANT:
If you're using another distro or graphical Linux shell change the screensaver command:
/bin/su $USERNAME -c "DISPLAY=:0 YOUR_SCREENSAVER_COMMAND_HERE"

Reload your Udev rules:
Code:
sudo udevadm control --reload-rules
sudo service udev reload


Now check if its working (Should if followed correctly!)

Triqster


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Thu Aug 22, 2013 7:13 pm 
Offline

Joined: Thu Aug 22, 2013 7:09 pm
Posts: 1
Nice writeup!
Stupid question of the week: I assume this only works if you're on the machine itself, so not on a remote server?
Is there a way to get OTP working for remote servers? I have a server in a DC and I do have a generated (not OTP) password+my own added gibberish but it would be cool to protect the remote (putty) logons with an OTP.
[edit]
Forget it: I did a bit of google and found http://code.google.com/p/yubico-pam/wik ... dSSHViaPAM. This is what I want.


Top
 Profile  
Reply with quote  
PostPosted: Thu Aug 22, 2013 7:56 pm 
Offline

Joined: Thu Aug 22, 2013 1:18 pm
Posts: 2
Posted in the wrong forum section, should be in:
Computer Logon - Windows | Linux | MacOS | freeBSD

Can some mod please move it over there.

Cheers in advance!


Top
 Profile  
Reply with quote  
PostPosted: Tue Aug 27, 2013 1:11 pm 
Offline

Joined: Tue Aug 27, 2013 1:09 pm
Posts: 1
I've tried setting this up but whenever I run udev I can't get it to show ID_SERIAL_SHORT. I've turned on USB Descriptor serial # display, but nought. Can you advise?

E: Nevermind, worked out the config wasn't saving automatically.


Top
 Profile  
Reply with quote  
PostPosted: Thu Nov 28, 2013 7:24 am 
Offline

Joined: Fri Oct 04, 2013 8:29 am
Posts: 3
Wait a sec, I can't seem to find the ID_SERIAL_SHORT after that command, either, and I don't know how to turn on the "USB Descriptor serial # display". The closest I could find is "ID_SERIAL=Yubico_Yubikey_NEO_OTP+CCID", but that's hardly unique. Is this a known issue with Neos?


Top
 Profile  
Reply with quote  
PostPosted: Thu Nov 28, 2013 9:12 am 
Offline
Site Admin
Site Admin

Joined: Wed Nov 14, 2012 2:59 pm
Posts: 666
Firmware version?

_________________
-Tom


Top
 Profile  
Reply with quote  
PostPosted: Tue Jan 07, 2014 1:12 am 
Offline

Joined: Tue Jan 07, 2014 12:29 am
Posts: 2
For those playing along at home, you need to enable USB Descriptor and HMAC-SHA1 Challenge-Response on Slot II.

Screenshots from the yubikey personlisation tool


  • Select Challenge-Response tab
  • Select HMAC-SHA1
Attachment:
Challenge Response.png
Challenge Response.png [ 68.75 KiB | Viewed 40854 times ]

  • Select Configuration Slot 2
  • Click Generate
  • Click Write Configuration
Attachment:
Program.png
Program.png [ 125.48 KiB | Viewed 40854 times ]


Last edited by yubidoobydoo on Tue Jan 07, 2014 1:18 am, edited 1 time in total.

Top
 Profile  
Reply with quote  
PostPosted: Tue Jan 07, 2014 1:18 am 
Offline

Joined: Tue Jan 07, 2014 12:29 am
Posts: 2
  • Click settings
  • Enable USB Descriptor
  • Click Update Settings

Attachment:
USB Descriptor.png
USB Descriptor.png [ 135.29 KiB | Viewed 40852 times ]

  • Select Configuration slot 2
  • Click update
Attachment:
Update Settings.png
Update Settings.png [ 79.34 KiB | Viewed 40852 times ]


Now follow the guide posted above.


Top
 Profile  
Reply with quote  
PostPosted: Sat Mar 22, 2014 4:54 am 
Offline

Joined: Sat Mar 22, 2014 4:45 am
Posts: 12
I just got my YubiKey a couple of days ago and came across this guide. I just wanted to pass on that I managed to pull this off (including the screen lock/unlock part). I have dabbled with Linux on and off over the years, so I'm not what you'd call an expert... just crazy enough to go poking until something breaks. :)

I followed these instructions to set up my ultrabook. Everything works as described in this guide. Thank you guys very much for putting this info out there for us to find. I really appreciate the help.

-Agg


Top
 Profile  
Reply with quote  
PostPosted: Tue Apr 22, 2014 4:23 pm 
Offline

Joined: Tue Apr 22, 2014 4:19 pm
Posts: 1
Hello guys, so I tried it and it worked perfectly until I restarted.
The error message was "Insufficient permissions" when authenticating with the Yubico key. I have an encrypted home partition, so I thought it was because of that but even when trying to log with root, I had the same error message.

Any one have any idea?

Thank you guys for the tutorial nonetheless, really handy. I will probably try it on other computers.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 17 posts ]  Go to page 1, 2  Next

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group