Yubico Forum
https://forum.yubico.com/

Using the latest pam_yubico module
https://forum.yubico.com/viewtopic.php?f=5&t=174		 Page 1 of 1
Author:  pmk [ Mon Sep 01, 2008 4:16 am ]
Post subject:  Using the latest pam_yubico module
All:

Dion has published his latest version of the pam_yubico module. This version supports mapping yubikey IDs to users and eliminates some static buffers that the Yubico folks weren't happy with.

So you can finally authenticate users safely for SSH and other services via PAM (including PAM-capable RADIUS servers), without worrying that anyone with a yubikey could access your system. This is great news and means that we'll be able to start replacing our Cryptocards with Yubikeys in the near future.

Right now, the module doesn't come with great docs, so I figured I'd document how I got it working on my servers. Here's the drill:
  • Compile and install the latest Yubikey C client from http://code.google.com/p/yubico-c-client/downloads/list (I used 1.2)
  • Check out the latest pam_yubico code (svn checkout http://yubico-pam.googlecode.com/svn/trunk/ yubico-pam-read-only). I used r38.
  • Configure, compile and install pam_yubico.so. I used ./configure --with-libyubikey-client-prefix=/usr/local, but you may need to point it somewhere else, if your yubikey libraries are elsewhere.
  • Get a Yubico API ID at https://api.yubico.com/get-api-key/.
  • Modify the pam configuration for your sshd to add pam_yubico.so. On CentOS/RHEL, you can do this globally by editing /etc/pam.d/system-auth or you can edit the specific service you want to test with. For my test, I only modified /etc/pam.d/sshd. You need to add a line that reads
    Code:
    auth       sufficient   /usr/local/lib/security/pam_yubico.so id=xxx debug
    and change the xxx to your API ID. If you want to continue to allow password-based authentication (highly recommended for testing), change other auth lines that do authentication (on CentOS/RHEL, the call to system-auth) to sufficient as well. Here's what my sshd looked like after I got done editing it:
    Code:
    auth       sufficient   /usr/local/lib/security/pam_yubico.so id=269 debug
    auth       sufficient   pam_stack.so service=system-auth
    auth       required     pam_nologin.so
    account    required     pam_stack.so service=system-auth
    password   required   pam_stack.so service=system-auth
    session    required     pam_stack.so service=system-auth
    session    required     pam_loginuid.so
  • If you don't plan to use two-factor authentication (a user-entered PIN/password, in addition to the yubikey output), add yubikeyonly=1 to the pam_yubico.so line.
  • If you _do_ plan to use two-factor authentication, create a pam service called yubikey-multifactor with a single auth line, that calls the appropriate authentication service for the PIN/password. On my system, this looks like this:
    Code:
    auth       required     pam_stack.so service=system-auth
  • Create a file in $HOME/.yubikey/ called authorized_keys that contains your Yubikey IDs, separated by newlines. A newline is _required_ even if you only have a single Yubikey
  • Create a file called /tmp/pam-debug.log and chmod it to 666, so you can see debug output emitted by the yubico module. This is recommended for testing, but this file should be deleted once testing is complete, as it will contain sensitive information.
  • Try to login! If you are using two-factor authentication, you should enter your normal UNIX password, then hit the button on your yubikey. If you are only using one-factor authentication, just pressing the yubikey will be enough.
  • If you make it in, congrats! You're ready to go. If not, check /tmp/pam-debug.log and see what happened.
  • Don't forget to delete /tmp/pam-debug.log!

There are other tricks you can do (define a global list of valid IDs in /etc/yubico-pam.conf, use an options file to control two-factor auth on a user-by-user basis (not sure this is the best idea, if not globally override-able)) so check out the source for more details.

I hope this helps someone. And thanks to Dion for the great work!
Author:  kseistrup [ Mon Sep 01, 2008 3:23 pm ]
Post subject:  Re: Using the latest pam_yubico module
pmk wrote:
Code:
auth       sufficient   pam_stack.so service=system-auth

Please note that pam_stack.so has been obsoleted by the include directive.

Cheers,
Klaus
Author:  Simon [ Tue Sep 02, 2008 10:52 am ]
Post subject:  Re: Using the latest pam_yubico module
The latest official pam_yubico release 1.7 should have similar functionality in it, and documentation how to set this up are available from:

http://code.google.com/p/yubico-pam/wik ... dSSHViaPAM

It doesn't use recursive PAM queries, but retain the password-part of the entered information for later PAM modules to verify.

If anyone has tested this and Dion's work and can compare it, that would be helpful. We are trying to make our pam module support all features. The code we have merged came from a different author than Dion, but they have now stopped improving with it, so if Dion wants to resume with our current code it will be easier for us to merge the code.

/Simon
Author:  pmk [ Tue Sep 02, 2008 2:50 pm ]
Post subject:  Re: Using the latest pam_yubico module
Simon:

I've been unable to make the multifactor in pam_yubico_1.7 work correctly. With the auth section of my /etc/pam.d/sshd setup like this:

auth required /usr/local/lib/security/pam_yubico.so id=269 debug
auth required pam_stack.so service=system-auth

Authentication requests always fail. pam-debug.log shows that the password is being properly broken off from the token and that the token auth is working fine. But the login never succeeds.

What was your guys' two-factor test setup?
Author:  paul [ Thu Sep 11, 2008 11:40 pm ]
Post subject:  Re: Using the latest pam_yubico module
pmk wrote:
Simon:

I've been unable to make the multifactor in pam_yubico_1.7 work correctly. With the auth section of my /etc/pam.d/sshd setup like this:

auth required /usr/local/lib/security/pam_yubico.so id=269 debug
auth required pam_stack.so service=system-auth

Authentication requests always fail. pam-debug.log shows that the password is being properly broken off from the token and that the token auth is working fine. But the login never succeeds.

What was your guys' two-factor test setup?


Hi, pmk, can you share the pam-debug.log and explain what do you mean by password broken off? Someone here in Yubico will be helping on this issue asap.

Thanks
Author:  pmk [ Fri Sep 12, 2008 3:36 pm ]
Post subject:  Re: Using the latest pam_yubico module
See below. By breaking off the password, I mean that the token and password are being separated correctly.

Can you post your working config? Thanks.

[pam_yubico.c:pam_sm_authenticate(217)] called.
[pam_yubico.c:pam_sm_authenticate(218)] flags 1 argc 2
[pam_yubico.c:pam_sm_authenticate(220)] argv[0]=id=269
[pam_yubico.c:pam_sm_authenticate(220)] argv[1]=debug
[pam_yubico.c:pam_sm_authenticate(221)] id=269
[pam_yubico.c:pam_sm_authenticate(222)] debug=1
[pam_yubico.c:pam_sm_authenticate(223)] alwaysok=0
[pam_yubico.c:pam_sm_authenticate(224)] authfile=(null)
[pam_yubico.c:pam_sm_authenticate(235)] get user returned: modus
[pam_yubico.c:pam_sm_authenticate(245)] get password returned: (null)
[pam_yubico.c:pam_sm_authenticate(275)] conv returned: [password]bcbtkuvenfnhugcggjhctrcclhuvcfiebcfjvdljjggj
[pam_yubico.c:pam_sm_authenticate(321)] Token is : bcbtkuvenfnhugcggjhctrcclhuvcfiebcfjvdljjggj and password is [password]
[pam_yubico.c:pam_sm_authenticate(322)] Token ID is: bcbtkuvenfnh
[pam_yubico.c:check_user_token(112)] Got user record :: modus:bcbtkuvenfnh
[pam_yubico.c:check_user_token(119)] Token Found :: bcbtkuvenfnh
[pam_yubico.c:pam_sm_authenticate(356)] libyubikey-client return value (0): Success
[pam_yubico.c:pam_sm_authenticate(377)] done. [Success]
Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/