Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 11:32 am

All times are UTC + 1 hour




Post new topic Reply to topic  [ 20 posts ]  Go to page 1, 2  Next
Author Message
PostPosted: Mon Jun 04, 2012 2:10 pm 
Offline

Joined: Sun Oct 23, 2011 2:02 pm
Posts: 1
Requirement: Ubuntu 12.04 or Debian Wheezy & Yubikey standard.

Description: This is quick tutorial on how to setup yubikey auth for SSH login in Ubuntu and Debian. It slightly extends official how-to. OS: Ubuntu 12.04(Precise Pangolin) (ami-e1e8d395)

1. Prerequisites
Code:
sudo apt-get install libpam-yubico libykclient3


2. Check installation
Make sure `ls -la /lib/security/pam_yubico.so` exist.

3. Linking user to yubikey
edit/create /home/ubuntu/.yubico/authorized_yubikeys file and add:
Code:
ubuntu:ccccccbdefgh

ubuntu is username and ccccccbdefgh is yubikey ID. If this ssh-like approach does not work for you, see this for alternatives.

4. Edit pam.d config file `/etc/pam.d/sshd`
add (at the beginning):
Code:
auth       required     pam_yubico.so id=2458 key=ure8aX7mdExlmO0q44idqEICIuE= url=http://api.yubico.com/wsapi/2.0/verify?id=%d&otp=%s

If you use required option: user's account password has to be set and typed with yubikey upon login (i.e. two factor auth).
If sufficient is used: user's account password is not required (i.e. one factor auth).
Get your own API ID and KEY, the values in the example above are faked.


5. Edit sshd config file `/etc/ssh/sshd_config`

Code:
PermitEmptyPasswords no
ChallengeResponseAuthentication yes
UsePAM yes


  1. One factor auth - yubikey only, passwords disabled
    pam_yubico.so is sufficient and:
    Code:
    PasswordAuthentication no

  2. One factor auth - yubikey OR password
    pam_yubico.so is sufficient and:
    Code:
    PasswordAuthentication yes

  3. Two factor auth - yubikey AND password
    pam_yubico.so is required and:
    Code:
    PasswordAuthentication yes

7. Restart sshd
Quote:
restart ssh


8. Test if it works.


Last edited by Vlastimil Ovčáčík on Thu May 30, 2013 1:10 am, edited 4 times in total.

Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Sun Jan 20, 2013 6:55 am 
Offline

Joined: Mon Dec 19, 2011 3:24 am
Posts: 9
Will this by chance work with CentOS as well? (I have a CentOS based web server I host on so that is why I ask). :)


Top
 Profile  
Reply with quote  
PostPosted: Mon Jan 21, 2013 10:37 am 
Offline
Site Admin
Site Admin

Joined: Wed Nov 14, 2012 2:59 pm
Posts: 666
Thank you for your post.

This goes sticky.

_________________
-Tom


Top
 Profile  
Reply with quote  
PostPosted: Tue Jan 29, 2013 3:46 pm 
Offline

Joined: Mon Jan 28, 2013 3:06 pm
Posts: 8
It does not work as expected.
I have setup everything the same way as explained, and when connecting I am asked for the Yubikey and the password.
I have setup the pam.d/sshd with sufficient and altered the sshd_config as explained and nothing. I am still prompted with the password.
And what's worse is that if I press enter at the yubikey prompt, it goes straight to the password !
I am searching how my security level is increased here.


Top
 Profile  
Reply with quote  
PostPosted: Wed Jan 30, 2013 11:06 am 
Offline
Site Admin
Site Admin

Joined: Wed Nov 14, 2012 2:59 pm
Posts: 666
Just a curiosity, do you encrypt your /home/user_with_yubikey ?

because in that config, you would not be able to read the authorized_yubikey file.

I will try the suggested configuration in this post to check if it works when i'll have 5 minute.

_________________
-Tom


Top
 Profile  
Reply with quote  
PostPosted: Wed Jan 30, 2013 1:55 pm 
Offline
Site Admin
Site Admin

Joined: Wed Nov 14, 2012 2:59 pm
Posts: 666
I have tested the "one factor" and it works on Ubuntu 12.10

Image


if you want to use challenge response mode then follow this tutorial:
https://github.com/Yubico/yubico-pam/wi ... geResponse

_________________
-Tom


Top
 Profile  
Reply with quote  
PostPosted: Fri Feb 01, 2013 12:10 pm 
Offline

Joined: Mon Jan 28, 2013 3:06 pm
Posts: 8
You mean that in order for the SSH login to work without asking password, the Yubikey must be setup in challenge-response mode ?


Top
 Profile  
Reply with quote  
PostPosted: Fri Feb 01, 2013 1:11 pm 
Offline
Site Admin
Site Admin

Joined: Wed Nov 14, 2012 2:59 pm
Posts: 666
No. You can authenticate yourself locally [challenge-response] or via the Internet using YubiClous service for example.

If you choose to authenticate against the YubiCloud you need the YubicoOTP ( the one configured in slot 1 by default )
If you choose to authenticate locally then you configure slot 2 of your Yubikey in challenge response mode ( following the other tutorial )

The password prompt depends on how you configure sshd / pam

_________________
-Tom


Top
 Profile  
Reply with quote  
PostPosted: Fri Feb 01, 2013 2:11 pm 
Offline

Joined: Mon Jan 28, 2013 3:06 pm
Posts: 8
I have strictly followed the howtos and I am still prompted for the password. I don't know what to do more.


Top
 Profile  
Reply with quote  
PostPosted: Fri Feb 01, 2013 3:45 pm 
Offline
Site Admin
Site Admin

Joined: Wed Nov 14, 2012 2:59 pm
Posts: 666
I am sorry moulip, i have posted a screenshot showing that it correctly works with only ONE factor. Just the Yubikey OTP without password.

What i can suggest you, is to install a virtual machine with Ubuntu 12.10, and try again from scratch.

1) Do not set up encrypted home folder.
2) Check that the virtual machine can connect to the internet to validate the OTP
3) Try reading the tutorial bottom-up, this may unlock some words that you missed, it happens.

_________________
-Tom


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 20 posts ]  Go to page 1, 2  Next

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 0 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group