All:
Dion has published his latest version of the pam_yubico module. This version supports mapping yubikey IDs to users and eliminates some static buffers that the Yubico folks weren't happy with.
So you can finally authenticate users safely for SSH and other services via PAM (including PAM-capable RADIUS servers), without worrying that anyone with a yubikey could access your system. This is great news and means that we'll be able to start replacing our Cryptocards with Yubikeys in the near future.
Right now, the module doesn't come with great docs, so I figured I'd document how I got it working on my servers. Here's the drill:
- Compile and install the latest Yubikey C client from http://code.google.com/p/yubico-c-client/downloads/list (I used 1.2)
- Check out the latest pam_yubico code (svn checkout http://yubico-pam.googlecode.com/svn/trunk/ yubico-pam-read-only). I used r38.
- Configure, compile and install pam_yubico.so. I used ./configure --with-libyubikey-client-prefix=/usr/local, but you may need to point it somewhere else, if your yubikey libraries are elsewhere.
- Get a Yubico API ID at https://api.yubico.com/get-api-key/.
- Modify the pam configuration for your sshd to add pam_yubico.so. On CentOS/RHEL, you can do this globally by editing /etc/pam.d/system-auth or you can edit the specific service you want to test with. For my test, I only modified /etc/pam.d/sshd. You need to add a line that reads
Code:
auth sufficient /usr/local/lib/security/pam_yubico.so id=xxx debug
and change the xxx to your API ID. If you want to continue to allow password-based authentication (highly recommended for testing), change other auth lines that do authentication (on CentOS/RHEL, the call to system-auth) to sufficient as well. Here's what my sshd looked like after I got done editing it: Code:
auth sufficient /usr/local/lib/security/pam_yubico.so id=269 debug
auth sufficient pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session required pam_loginuid.so
- If you don't plan to use two-factor authentication (a user-entered PIN/password, in addition to the yubikey output), add yubikeyonly=1 to the pam_yubico.so line.
- If you _do_ plan to use two-factor authentication, create a pam service called yubikey-multifactor with a single auth line, that calls the appropriate authentication service for the PIN/password. On my system, this looks like this:
Code:
auth required pam_stack.so service=system-auth
- Create a file in $HOME/.yubikey/ called authorized_keys that contains your Yubikey IDs, separated by newlines. A newline is _required_ even if you only have a single Yubikey
- Create a file called /tmp/pam-debug.log and chmod it to 666, so you can see debug output emitted by the yubico module. This is recommended for testing, but this file should be deleted once testing is complete, as it will contain sensitive information.
- Try to login! If you are using two-factor authentication, you should enter your normal UNIX password, then hit the button on your yubikey. If you are only using one-factor authentication, just pressing the yubikey will be enough.
- If you make it in, congrats! You're ready to go. If not, check /tmp/pam-debug.log and see what happened.
- Don't forget to delete /tmp/pam-debug.log!
There are other tricks you can do (define a global list of valid IDs in /etc/yubico-pam.conf, use an options file to control two-factor auth on a user-by-user basis (not sure this is the best idea, if not globally override-able)) so check out the source for more details.
I hope this helps someone. And thanks to Dion for the great work!
Login
FAQ
Search
