Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 7:39 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 18 posts ]  Go to page 1, 2  Next
Author Message
 Post subject: Yubikey, SSH and debian
PostPosted: Tue Sep 30, 2008 3:13 pm 
Offline

Joined: Fri May 09, 2008 8:00 am
Posts: 9
install standard server install of Debian lenny
Code:
apt-get update
apt-get upgrade
apt-get install build-essential autoconf automake libtool libpam-dev subversion libcurl4-gnutls-dev

Code:
mkdir yubikey

Code:
cd yubikey

Code:
wget http://yubico-c.googlecode.com/files/libyubikey-1.1.tar.gz
tar zxvf libyubikey-1.1.tar.gz
cd libyubikey-1.1
./configure
make
make check
make install

Code:
cd ..

Code:
wget http://yubico-c-client.googlecode.com/files/libyubikey-client-1.4.tar.gz
tar zxvf libyubikey-client-1.4.tar.gz
cd libyubikey-client-1.4
autoreconf -fvi
./configure
make check
make install

Code:
cd ..

Code:
svn checkout http://yubico-pam.googlecode.com/svn/trunk/ yubico-pam-svn
cd yubico-pam-svn
autoreconf --install
./configure
make clean
make check install

OR
Code:
tar zxvf pam_yubico-1.8.tar.gz
cd pam_yubico-1.8
./configure
make check install

I chose the SVN route
Code:
cd ..

Code:
pico /etc/pam.d/sshd (This is my whole file)

# PAM configuration for the Secure Shell service

## YubiKey Config
# Administrative Level
auth required pam_yubico.so authfile=/etc/yubikeyid id=16 debug
#OR
# User Level
# auth required pam_yubico.so id=16 debug

# Read environment variables from /etc/environment and
# /etc/security/pam_env.conf.
auth       required     pam_env.so # [1]
# In Debian 4.0 (etch), locale-related environment variables were moved to
# /etc/default/locale, so read that as well.
auth       required     pam_env.so envfile=/etc/default/locale

# Standard Un*x authentication.
@include common-auth

# Disallow non-root logins when /etc/nologin exists.
account    required     pam_nologin.so

# Uncomment and edit /etc/security/access.conf if you need to set complex
# access limits that are hard to express in sshd_config.
# account  required     pam_access.so

# Standard Un*x authorization.
@include common-account

# Standard Un*x session setup and teardown.
@include common-session

# Print the message of the day upon successful login.
session    optional     pam_motd.so # [1]

# Print the status of the user's mailbox upon successful login.
session    optional     pam_mail.so standard noenv # [1]

# Set up user limits from /etc/security/limits.conf.
session    required     pam_limits.so

# Set up SELinux capabilities (need modified pam)
# session  required     pam_selinux.so multiple

# Standard Un*x password updating.
@include common-password

Code:
pico /etc/ssh/sshd_config
ChallengeResponseAuthentication yes
UsePAM yes
Not required but good pratice
PermitRootLogin? no

Code:
pico /etc/yubikeyid
timm:nktcdenuukhc:hgfujcchbnjg
pico /home/timm/.yubico/authorized_yubikeys
timm:nktcdenuukhc:hgfujcchbnjg


I rebooted to be sure that everything loaded but this is probably over kill

I used putty to ssh to my Yubikey test box

Password: (enter 'password' and touch the hgfujcchbnjg yubikey)

And no matter if I try the admin or user level it will never log in if I comment out the Yubikey line ssh login works fine if someone can popint me in the right direction that would be great

Thank you in advanced

Tim


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Wed Oct 01, 2008 12:48 pm 
Offline
Yubico Team
Yubico Team

Joined: Wed Oct 01, 2008 8:11 am
Posts: 210
We are looking into this and will update you soon.


Top
 Profile  
Reply with quote  
PostPosted: Thu Oct 02, 2008 4:55 pm 
Offline
Yubico Team
Yubico Team

Joined: Wed Oct 01, 2008 8:11 am
Posts: 210
Thanks for reporting this issue. We have looked into this and found that there is a PAM configuration issue.

Please follow steps below to fix this:

    1) Edit /etc/pam.d/common-auth
    2) Append try_first_pass parameter to the pam_unix.so module to authenticate the user with password passed from the preceding auth module.
    3) The /etc/pam.d/common-auth looks like below after editing:

    #
    # /etc/pam.d/common-auth - authentication settings common to all services
    #
    # This file is included from other service-specific PAM config files,
    # and should contain a list of the authentication modules that define
    # the central authentication scheme for use on the system
    # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
    # traditional Unix authentication mechanisms.
    #
    auth required pam_unix.so try_first_pass nullok_secure debug


Top
 Profile  
Reply with quote  
PostPosted: Thu Oct 02, 2008 6:10 pm 
Offline

Joined: Fri May 09, 2008 8:00 am
Posts: 9
network-marvels just want to say thank you for your quick response its much appreciated!! As I really want to make this work but I only use debian for my servers so it must work with debian before I can deploy it!!

So as you suggested my /etc/pam.d/common-auth now looks like this but there is no change

Code:
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
# traditional Unix authentication mechanisms.
#
auth    required        pam_unix.so try_first_pass nullok_secure debug


I rebooted to be sure that everything loaded.

I am using VMware so if it a copy of my install would help them I can put it online for download?

Any more help would again be greatly appreciated.

Thank you

Tim


Top
 Profile  
Reply with quote  
PostPosted: Fri Oct 03, 2008 8:03 am 
Offline
Yubico Team
Yubico Team

Joined: Wed Oct 01, 2008 8:11 am
Posts: 210
We would appreciate if you can upload VMware image. We will download it and try to figure out the problem.

Meanwhile, we have tested the Yubico PAM configuration on following test environment:

    1) OS Version: Debian GNU/Linux lenny/sid \n \l
    2) Kernel Version: Linux version 2.6.24-1-686 (Debian 2.6.24-7)
    3) OpenSSH Version: OpenSSH_5.1p1 Debian-3
    4) Yubico PAM Version: pam_yubico-1.8
    5) /etc/pam.d/sshd:
    # PAM configuration for the Secure Shell service

    ## YubiKey Config
    # Administrative Level
    auth required pam_yubico.so authfile=/etc/yubikeyid id=16 debug

    # Standard Un*x authentication.
    # Read environment variables from /etc/environment and
    # /etc/security/pam_env.conf.
    auth required pam_env.so debug # [1]

    # In Debian 4.0 (etch), locale-related environment variables were moved to
    # /etc/default/locale, so read that as well.
    auth required pam_env.so envfile=/etc/default/locale debug

    #@include common-auth
    @include common-auth

    # Disallow non-root logins when /etc/nologin exists.
    account required pam_nologin.so

    # Uncomment and edit /etc/security/access.conf if you need to set complex
    # access limits that are hard to express in sshd_config.
    account required pam_access.so

    # Standard Un*x authorization.
    @include common-account

    # Standard Un*x session setup and teardown.
    @include common-session

    # Print the message of the day upon successful login.
    session optional pam_motd.so # [1]

    # Print the status of the user's mailbox upon successful login.
    session optional pam_mail.so standard noenv # [1]

    # Set up user limits from /etc/security/limits.conf.
    session required pam_limits.so

    # Set up SELinux capabilities (need modified pam)
    session required pam_selinux.so multiple

    # Standard Un*x password updating.
    @include common-password

    6) /etc/pam.d/common-auth:
    #
    # /etc/pam.d/common-auth - authentication settings common to all services
    #
    # This file is included from other service-specific PAM config files,
    # and should contain a list of the authentication modules that define
    # the central authentication scheme for use on the system
    # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
    # traditional Unix authentication mechanisms.
    #
    auth required pam_unix.so try_first_pass nullok_secure debug


Top
 Profile  
Reply with quote  
PostPosted: Fri Oct 03, 2008 10:29 am 
Offline

Joined: Fri May 09, 2008 8:00 am
Posts: 9
Thank you again the Image is avaliable at http://temsc.co.uk/uploads/Clone_of_Yubikey-PAM.zip

The passwords are root:yubikey and timm:yubikey1234

Thank you again I have no more ideas

Tim


Top
 Profile  
Reply with quote  
PostPosted: Fri Oct 03, 2008 10:47 am 
Offline

Joined: Fri May 09, 2008 8:00 am
Posts: 9
I did find one difference in my /etc/pam.d/sshd to yours

Code:
# Standard Un*x authorization.
@include common-account


In mine was commented out but I uncommented it but still no luck.

The error I get every time is.... not sure if this is relevant the "Using keyboard-interactive authentication"

Code:
debian:/home/timm#
login as: timm
Using keyboard-interactive authentication.
Password:
Access denied


Thank you again

Tim


Top
 Profile  
Reply with quote  
PostPosted: Fri Oct 03, 2008 10:55 am 
Offline

Joined: Fri May 09, 2008 8:00 am
Posts: 9
timm_tem wrote:
l
...
I used putty to ssh to my Yubikey test box

Password: (enter 'password' and touch the hgfujcchbnjg yubikey)
...
Tim


So I just wanted also to clarify this bit I type my username press enter then type my password press the yubikey and then the yubikey as such pressed enter on the password line for me?

do I understand this correctly?

is it not possible to have the username the password then the yubikey as 3 separate things? just for clarity in nothing else?

Thank you in advanced

Tim


Top
 Profile  
Reply with quote  
PostPosted: Fri Oct 03, 2008 4:34 pm 
Offline
Yubico Team
Yubico Team

Joined: Wed Oct 01, 2008 8:11 am
Posts: 210
We have downloaded the VMware image uploaded by you. There was a small configuration issue.

Please follow these steps to fix the issue:

    1) Copy the pam_yubico.so module from “/usr/local/lib/security” to “/lib/security”
    2) Edit the sshd configuration file “/etc/ssh/sshd_config” to disable challenge-response passwords. Change “challenge-response passwords yes” to “challenge-response passwords no” from line 47 of “/etc/ssh/sshd_config”

Thanks for pointing out this issue! This has helped us to generalize Yubico PAM module configuration to work on more Linux flavors. We will update the Yubico PAM configuration document on the Google Code site to reflect these changes.


Top
 Profile  
Reply with quote  
PostPosted: Fri Oct 03, 2008 4:57 pm 
Offline

Joined: Fri May 09, 2008 8:00 am
Posts: 9
Thank you for all you help!! Its greatly appriciated as it can be hard to find help!

Also glad that I could be of help to further the project!

network-marvels wrote:
    1) Copy the pam_yubico.so module from “/usr/local/lib/security” to “/lib/security”
    2) Edit the sshd configuration file “/etc/ssh/sshd_config” to disable challenge-response passwords. Change “challenge-response passwords yes” to “challenge-response passwords no” from line 47 of “/etc/ssh/sshd_config”


interesting that the “challenge-response passwords” is now set to no as the only reason I changed it was because it was something I had to do to get this to work before!?

But I am glad we have a fix!

Thank you again

Tim


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 18 posts ]  Go to page 1, 2  Next

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group