Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 7:11 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 18 posts ]  Go to page Previous  1, 2
Author Message
PostPosted: Fri Feb 06, 2009 11:52 am 
Offline

Joined: Fri Feb 06, 2009 11:22 am
Posts: 1
Some descriptions of the term:

The magic number 16, AKA Client ID

In /etc/pam.d/sshd
Code:
auth required pam_yubico.so authfile=/etc/yubikeyid id=16 debug


the id variable is your Client ID. To get hold of the Client ID I needed to login to the Yubikey Managing System/YMS hosted by Yubico at URL https://api.yubico.com/yms/yubi_login.php.

Strip the Client- text from the ClientID and use that number in place of 16.


Getting access to Yubikey Management System:
To actually be able to login to the YMS system I needed to email yms@yubico.com, with detailed information of the purchase of my Yubikey + two sequentallly generated One Time Passwords (OTP) using the same e-mail address I used when I purchased my Yubikey

Once there, the client ID is displayed at the title bar as highlighted in the attached image.
Attachment:
8.JPG



The yubikey id file
In the file /etc/yubikeyid you define your system user-name you use which you use when normally logging in. The code after the colon-sign is the first 12 characters of your Yubikey One Time password
Code:
username:12 characters



Actually logging in to the SSH server
After all configurations are done you may to restart the SSH server. On my debian machine I used sudo /etc/init.d/ssh restart

After all that was done I logged in with
ssh username@hostname

Please observe that when SSH asked me for password, you need to first enter your regular password and then press the button on the Yubikey device. For the longest time I only used the OTP to try to authenticate, which got me a permission denied reply.



Debugging
To see if if the PAM module is working correctly and you have debug enabled in /etc/pam.d/sshd you might want to create a world writable log file
Code:
 
  touch /var/run/pam-debug.log
  chmod go+w /var/run/pam-debug.log


After a login attempt:
Code:
 cat /var/run/pam-debug.log


After everything is good I would remove the debug from the /etc/pam.d/sshd file and restart SSH

If a single person is helped by this post, then I am very happy... For it has been a quite enfuriating experience to not realize that you need to enter the regular password and the OTP from Yubikey.


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Wed Jul 15, 2009 9:59 pm 
Offline

Joined: Wed Feb 18, 2009 8:22 pm
Posts: 1
I found your post very useful.

Eventually, I found my problem corrected by doing the following to my CentOS vmware image:
Code:
Copy the pam_yubico.so module from “/usr/local/lib/security” to “/lib/security”


Thanks!


Top
 Profile  
Reply with quote  
PostPosted: Mon Nov 15, 2010 12:19 pm 
Offline

Joined: Mon Nov 15, 2010 12:16 pm
Posts: 3
I followed the above instructions, as well as the wiki article on how to set up Yubikey PAM for SSH and have a fully working system.

I have issued myself and 2 other users with Yubikeys, all of us having sudo on our machines. However, for regular users I don't want to give them Yubikeys, they should just be able to login with their username and password.

Unfortunately, I have found that users without Yubikeys cannot login, i.e. if they aren't in the /etc/yubikeyid file, they can't login.

Is there any way around this?

Thanks


Top
 Profile  
Reply with quote  
PostPosted: Tue Nov 16, 2010 10:18 am 
Offline
Yubico Team
Yubico Team

Joined: Mon Feb 22, 2010 9:49 am
Posts: 183
Yubico PAM module does not currently support selective two or single factor authentication based on specific user IDs (only two factor authentication is supported for all users). Supporting this functionality is currently on Yubico's roadmap.

However, if you can make some simple changes to the Yubico PAM module then it would be possible to use the same Yubico PAM module to authenticate selective users based on Yubikey bindings i.e. if a user has YubiKey assigned, then it would require 2 factor auth. otherwise only user name and password will be sufficient to authenticate.

The changes are needed to be made in the logic where the Yubico PAM module looks for the YubiKey ID and Username binding. If no YubiKey ID and Username binding found for a user, then the Yubico PAM module should skip all checks and send the success signal to the underlying PAM modules.

We hope this helps!


Top
 Profile  
Reply with quote  
PostPosted: Tue Nov 16, 2010 1:40 pm 
Offline

Joined: Mon Nov 15, 2010 12:16 pm
Posts: 3
samir wrote:
Yubico PAM module does not currently support selective two or single factor authentication based on specific user IDs (only two factor authentication is supported for all users). Supporting this functionality is currently on Yubico's roadmap.

However, if you can make some simple changes to the Yubico PAM module then it would be possible to use the same Yubico PAM module to authenticate selective users based on Yubikey bindings i.e. if a user has YubiKey assigned, then it would require 2 factor auth. otherwise only user name and password will be sufficient to authenticate.

The changes are needed to be made in the logic where the Yubico PAM module looks for the YubiKey ID and Username binding. If no YubiKey ID and Username binding found for a user, then the Yubico PAM module should skip all checks and send the success signal to the underlying PAM modules.

We hope this helps!

Hi there,

Based on your suggestion I've created a patch for pam_yubico.c

Changelog
  • Added a check_user_in_auth_file function which is just check_user_token but with only the username checking, no token checking. This is called near the beginning of pam_sm_authenticate.
  • Moved user auth file path code from authorize_user_token to a new function get_userfile. This was so I could reuse it in check_user_in_auth_file.

New code in pam_sm_authenticate
Code:
  if (check_user_in_auth_file(cfg.auth_file, user) == 0)
    {
      DBG (("user not in auth file: %s", user));
      /* If user is not in auth file, skip all checks
       and send the success signal to the underlying PAM modules.
       Authentication will continue using the underlying PAM modules. */
      retval = PAM_SUCCESS;
      goto done;
    }


New functions in pam_yubico
Code:
/*
 * This function will return the file path to the authorized_yubikeys file in the
 * users home dir.
 */
static char*
get_userfile(const char *username)
{
  struct passwd *p;
  char *userfile = NULL;

  p = getpwnam(username);
  if (p)
    {
      userfile = malloc((p->pw_dir ? strlen(p->pw_dir) : 0) + strlen(USERFILE)
          + 1);
      if (!userfile)
        return NULL;

      strcpy(userfile, p->pw_dir);
      strcat(userfile, USERFILE);
    }
  return userfile;


}

/*
 * This function will check if a users name is present in the auth file. It
 * will return 0 for no and 1 for yes.
 */
static int
check_user_in_auth_file(const char *authfile, const char *username)
{
  char buf[1024];
  char *s_user;
  int retval = 0;
  FILE *opwfile;

  if (!authfile)
    {
      /* Getting file from user home directory
       ..... i.e. ~/.yubico/authorized_yubikeys
       */
       authfile = get_userfile(username);
    }

  opwfile = fopen(authfile, "r");
  if (opwfile == NULL)
    {
      D(("Cannot open file: %s", authfile));
      return retval;
    }

  while (fgets(buf, 1024, opwfile))
    {
      if (buf[strlen(buf) - 1] == '\n')
        buf[strlen(buf) - 1] = '\0';
      D(("Authorization line: %s", buf));
      s_user = strtok(buf, ":");
      if (s_user && strcmp(username, s_user) == 0)
        {
          D(("Matched user: %s", s_user));
          fclose(opwfile);
          return 1;
        }
    }

  fclose(opwfile);

  return 0;
}


I've tested this with the /etc/ authfile and it works as expected, though I've not tested with the user auth file - as far as I can see though the code should work for that.

Patch against latest version in the pam_yubico SVN is attached in a tar.gz (won't let me attach txt files, disallowed in phpBB config).


Last edited by gsreynolds on Tue Nov 16, 2010 7:59 pm, edited 2 times in total.

Top
 Profile  
Reply with quote  
PostPosted: Tue Nov 16, 2010 1:47 pm 
Offline

Joined: Mon Nov 15, 2010 12:16 pm
Posts: 3
Just noticed an errant line in the above code.

Code:
      char *userfile = NULL;
      authfile = get_userfile(username);
      free(authfile);


should just be

Code:
      authfile = get_userfile(username);


Copy & paste oversight...


Last edited by gsreynolds on Tue Nov 16, 2010 7:58 pm, edited 1 time in total.

Top
 Profile  
Reply with quote  
PostPosted: Tue Nov 16, 2010 2:11 pm 
Offline
Yubico Team
Yubico Team

Joined: Mon Feb 22, 2010 9:49 am
Posts: 183
Thank you for creating the Patch! We appreciate your efforts to make the Yubico PAM more robust and useful!


Top
 Profile  
Reply with quote  
PostPosted: Fri Feb 04, 2011 10:48 am 
Offline

Joined: Fri Feb 04, 2011 10:44 am
Posts: 1
The process to generate a Client ID has changed since Jonix's entry above regarding YMS. Shamelessly copy-and-pasted from my reply this morning from yubico, this is the procedure you need to follow to generate a Client ID currently:

The Client ID aka Auth_ID is required for API Key. The API key is a symmetric key aimed at protecting the communication (creating a hash signature) on packets between the client and the Yubico Online Validation Service. When generating the key an API ID (also called a Client ID) is also generated at the same time and this ID is sent by the client to the server in the authentication request and acts as a reference for the Validation Service to find the right API key in the database to create a signature when sending the authentication (response) result back to the to the (dot net) client.

The key is simply generated from any YubiKey that you have. Follow the link https://upgrade.yubico.com/getapikey/ and enter a valid email address (mainly used as an internal reference in the database) and an OTP from one of the YubiKeys you received. The result page will show the generated Client ID (API ID) and the generated API key (Secret Key). Make a record of both and use these two values in corresponding libraries and modules. Wait 5 to 10 minutes after generating the key before testing so that the API key will be updated on all the servers in the Yubico Online Validation Service backend.

Hope this helps :)

Jim


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 18 posts ]  Go to page Previous  1, 2

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group