Yubico Forum :: View topic - Lightweight ssh linux login for yubikey

#!/bin/bash

trap "pkill -HUP -g 0" INT

# change this to your specific ID
ID=79

echo -n "Press key then enter ctrl-d: " > /dev/stderr

otp=`tr -c -d a-z < /dev/tty`

#Verifying that this is MY yubikey, not just some random one.
if echo $otp | grep staticpartofkey > /dev/null
then
echo Greetings
else
#Failed test
echo Intruders are not permitted, Begone with you > /dev/stderr
pkill -HUP -g 0
exit 3
fi

#Check the Yubi
if wget -O - "https://api.yubico.com/wsapi/verify?id=$ID&otp=$otp" 2> /dev/null | grep status=OK > /dev/null
then
echo Yubikey ok > /dev/stderr
exec /bin/bash
fi

#Failed test
echo bad Yubikey > /dev/stderr
pkill -HUP -g 0
exit 3

Author:	jonr [ Tue Nov 25, 2008 7:35 am ]
Post subject:	Lightweight ssh linux login for yubikey
I had problems with the pam yubikey module so I wrote an extremely simple script to force the use of a yubikey for ssh login to a linux box. You have to enter your normal password and then the yubikey. Is it secure? As secure as just the password; more than that, I can't say. To install, take this code and put it into ~/.ssh/rc ---cut here-- #!/bin/bash trap "pkill -HUP -g 0" INT # change this to your specific ID ID=79 echo -n "Press key then enter ctrl-d: " > /dev/stderr otp=`tr -c -d a-z < /dev/tty` if wget -O - "https://api.yubico.com/wsapi/verify?id=$ID&otp=$otp" 2> /dev/null \| grep status=OK > /dev/null then echo Yubikey ok > /dev/stderr exec /bin/bash fi echo bad > /dev/stderr pkill -HUP -g 0 exit 3

Author:	Simon [ Thu Nov 27, 2008 11:56 am ]
Post subject:	Re: Lightweight ssh linux login for yubikey
Cool. That's a more lightweight solution than PAM, thanks for sharing. /Simon

Author:	snizfast [ Fri Jan 30, 2009 5:18 pm ]
Post subject:	Re: Lightweight ssh linux login for yubikey
I had issues with the official PAM solution. The pam part worked fine but sshd would keep segfaulting. I think this will be less intrusive to get working on some of my work servers. I liked this because of its simplicity but wanted to be sure that it was my Yubikey not just some random one. There was not facility to verify this is my key. I did not see any way to add my key id to the api.yubico.com url. I used a simple check instead: Code: #!/bin/bash trap "pkill -HUP -g 0" INT # change this to your specific ID ID=79 echo -n "Press key then enter ctrl-d: " > /dev/stderr otp=`tr -c -d a-z < /dev/tty` #Verifying that this is MY yubikey, not just some random one. if echo $otp \| grep staticpartofkey > /dev/null then echo Greetings else #Failed test echo Intruders are not permitted, Begone with you > /dev/stderr pkill -HUP -g 0 exit 3 fi #Check the Yubi if wget -O - "https://api.yubico.com/wsapi/verify?id=$ID&otp=$otp" 2> /dev/null \| grep status=OK > /dev/null then echo Yubikey ok > /dev/stderr exec /bin/bash fi #Failed test echo bad Yubikey > /dev/stderr pkill -HUP -g 0 exit 3

Author:	lucienboland [ Fri Feb 06, 2009 3:59 pm ]
Post subject:	Re: Lightweight ssh linux login for yubikey
Good job on the script work around. I'm also experiencing segfaults with the pam module compiled on RHEL5 64bit. I'm using the latest subversion google code source code. Is anyone else also trying to figure out why the pam module is segfaulting? Cheers Lucien

Author:	cmoates [ Sat Feb 07, 2009 6:11 am ]
Post subject:	Re: Lightweight ssh linux login for yubikey
I just started a separate thread for that. Would be nice to know if the original poster was on 64 bit. I'm failing on both 64 bit Centos and Ubuntu at the moment, and will try Fedora 10 64 bit in the morning to verify. 32 bit version of Debian, Ubuntu, and Fedora all work fine.

Yubico Forum https://forum.yubico.com/

Lightweight ssh linux login for yubikey https://forum.yubico.com/viewtopic.php?f=8&t=210	Page 1 of 1

Page 1 of 1	All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/