Yubico Forum :: View topic - Yubikey, SSH and debian

apt-get update
apt-get upgrade
apt-get install build-essential autoconf automake libtool libpam-dev subversion libcurl4-gnutls-dev

wget http://yubico-c.googlecode.com/files/libyubikey-1.1.tar.gz
tar zxvf libyubikey-1.1.tar.gz
cd libyubikey-1.1
./configure
make
make check
make install

wget http://yubico-c-client.googlecode.com/files/libyubikey-client-1.4.tar.gz
tar zxvf libyubikey-client-1.4.tar.gz
cd libyubikey-client-1.4
autoreconf -fvi
./configure
make check
make install

svn checkout http://yubico-pam.googlecode.com/svn/trunk/ yubico-pam-svn
cd yubico-pam-svn
autoreconf --install
./configure
make clean
make check install

tar zxvf pam_yubico-1.8.tar.gz
cd pam_yubico-1.8
./configure
make check install

pico /etc/pam.d/sshd (This is my whole file)

# PAM configuration for the Secure Shell service

## YubiKey Config
# Administrative Level
auth required pam_yubico.so authfile=/etc/yubikeyid id=16 debug
#OR
# User Level
# auth required pam_yubico.so id=16 debug

# Read environment variables from /etc/environment and
# /etc/security/pam_env.conf.
auth required pam_env.so # [1]
# In Debian 4.0 (etch), locale-related environment variables were moved to
# /etc/default/locale, so read that as well.
auth required pam_env.so envfile=/etc/default/locale

# Standard Un*x authentication.
@include common-auth

# Disallow non-root logins when /etc/nologin exists.
account required pam_nologin.so

# Uncomment and edit /etc/security/access.conf if you need to set complex
# access limits that are hard to express in sshd_config.
# account required pam_access.so

# Standard Un*x authorization.
@include common-account

# Standard Un*x session setup and teardown.
@include common-session

# Print the message of the day upon successful login.
session optional pam_motd.so # [1]

# Print the status of the user's mailbox upon successful login.
session optional pam_mail.so standard noenv # [1]

# Set up user limits from /etc/security/limits.conf.
session required pam_limits.so

# Set up SELinux capabilities (need modified pam)
# session required pam_selinux.so multiple

# Standard Un*x password updating.
@include common-password

pico /etc/ssh/sshd_config
ChallengeResponseAuthentication yes
UsePAM yes
Not required but good pratice
PermitRootLogin? no

pico /etc/yubikeyid
timm:nktcdenuukhc:hgfujcchbnjg
pico /home/timm/.yubico/authorized_yubikeys
timm:nktcdenuukhc:hgfujcchbnjg

#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
auth required pam_unix.so try_first_pass nullok_secure debug

# Standard Un*x authorization.
@include common-account

debian:/home/timm#
login as: timm
Using keyboard-interactive authentication.
Password:
Access denied

Author:	timm_tem [ Tue Sep 30, 2008 3:13 pm ]
Post subject:	Yubikey, SSH and debian
install standard server install of Debian lenny Code: apt-get update apt-get upgrade apt-get install build-essential autoconf automake libtool libpam-dev subversion libcurl4-gnutls-dev Code: mkdir yubikey Code: cd yubikey Code: wget http://yubico-c.googlecode.com/files/libyubikey-1.1.tar.gz tar zxvf libyubikey-1.1.tar.gz cd libyubikey-1.1 ./configure make make check make install Code: cd .. Code: wget http://yubico-c-client.googlecode.com/files/libyubikey-client-1.4.tar.gz tar zxvf libyubikey-client-1.4.tar.gz cd libyubikey-client-1.4 autoreconf -fvi ./configure make check make install Code: cd .. Code: svn checkout http://yubico-pam.googlecode.com/svn/trunk/ yubico-pam-svn cd yubico-pam-svn autoreconf --install ./configure make clean make check install OR Code: tar zxvf pam_yubico-1.8.tar.gz cd pam_yubico-1.8 ./configure make check install I chose the SVN route Code: cd .. Code: pico /etc/pam.d/sshd (This is my whole file) # PAM configuration for the Secure Shell service ## YubiKey Config # Administrative Level auth required pam_yubico.so authfile=/etc/yubikeyid id=16 debug #OR # User Level # auth required pam_yubico.so id=16 debug # Read environment variables from /etc/environment and # /etc/security/pam_env.conf. auth required pam_env.so # [1] # In Debian 4.0 (etch), locale-related environment variables were moved to # /etc/default/locale, so read that as well. auth required pam_env.so envfile=/etc/default/locale # Standard Unx authentication. @include common-auth # Disallow non-root logins when /etc/nologin exists. account required pam_nologin.so # Uncomment and edit /etc/security/access.conf if you need to set complex # access limits that are hard to express in sshd_config. # account required pam_access.so # Standard Unx authorization. @include common-account # Standard Unx session setup and teardown. @include common-session # Print the message of the day upon successful login. session optional pam_motd.so # [1] # Print the status of the user's mailbox upon successful login. session optional pam_mail.so standard noenv # [1] # Set up user limits from /etc/security/limits.conf. session required pam_limits.so # Set up SELinux capabilities (need modified pam) # session required pam_selinux.so multiple # Standard Unx password updating. @include common-password Code: pico /etc/ssh/sshd_config ChallengeResponseAuthentication yes UsePAM yes Not required but good pratice PermitRootLogin? no Code: pico /etc/yubikeyid timm:nktcdenuukhc:hgfujcchbnjg pico /home/timm/.yubico/authorized_yubikeys timm:nktcdenuukhc:hgfujcchbnjg I rebooted to be sure that everything loaded but this is probably over kill I used putty to ssh to my Yubikey test box Password: (enter 'password' and touch the hgfujcchbnjg yubikey) And no matter if I try the admin or user level it will never log in if I comment out the Yubikey line ssh login works fine if someone can popint me in the right direction that would be great Thank you in advanced Tim

Author:	network-marvels [ Wed Oct 01, 2008 12:48 pm ]
Post subject:	Re: Yubikey, SSH and debian
We are looking into this and will update you soon.

Author:	network-marvels [ Thu Oct 02, 2008 4:55 pm ]
Post subject:	Re: Yubikey, SSH and debian
Thanks for reporting this issue. We have looked into this and found that there is a PAM configuration issue. Please follow steps below to fix this: 1) Edit /etc/pam.d/common-auth 2) Append try_first_pass parameter to the pam_unix.so module to authenticate the user with password passed from the preceding auth module. 3) The /etc/pam.d/common-auth looks like below after editing: # # /etc/pam.d/common-auth - authentication settings common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authentication modules that define # the central authentication scheme for use on the system # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the # traditional Unix authentication mechanisms. # *auth required pam_unix.so try_first_pass* nullok_secure debug**

Author:	timm_tem [ Thu Oct 02, 2008 6:10 pm ]
Post subject:	Re: Yubikey, SSH and debian
network-marvels just want to say thank you for your quick response its much appreciated!! As I really want to make this work but I only use debian for my servers so it must work with debian before I can deploy it!! So as you suggested my /etc/pam.d/common-auth now looks like this but there is no change Code: # # /etc/pam.d/common-auth - authentication settings common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authentication modules that define # the central authentication scheme for use on the system # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the # traditional Unix authentication mechanisms. # auth required pam_unix.so try_first_pass nullok_secure debug I rebooted to be sure that everything loaded. I am using VMware so if it a copy of my install would help them I can put it online for download? Any more help would again be greatly appreciated. Thank you Tim

Author:	network-marvels [ Fri Oct 03, 2008 8:03 am ]
Post subject:	Re: Yubikey, SSH and debian
We would appreciate if you can upload VMware image. We will download it and try to figure out the problem. Meanwhile, we have tested the Yubico PAM configuration on following test environment: 1) OS Version: Debian GNU/Linux lenny/sid \n \l 2) Kernel Version: Linux version 2.6.24-1-686 (Debian 2.6.24-7) 3) OpenSSH Version: OpenSSH_5.1p1 Debian-3 4) Yubico PAM Version: pam_yubico-1.8 5) /etc/pam.d/sshd: # PAM configuration for the Secure Shell service ## YubiKey Config # Administrative Level auth required pam_yubico.so authfile=/etc/yubikeyid id=16 debug # Standard Unx authentication. # Read environment variables from /etc/environment and # /etc/security/pam_env.conf. auth required pam_env.so debug # [1] # In Debian 4.0 (etch), locale-related environment variables were moved to # /etc/default/locale, so read that as well. auth required pam_env.so envfile=/etc/default/locale debug #@include common-auth @include common-auth # Disallow non-root logins when /etc/nologin exists. account required pam_nologin.so # Uncomment and edit /etc/security/access.conf if you need to set complex # access limits that are hard to express in sshd_config. account required pam_access.so # Standard Unx authorization. @include common-account # Standard Unx session setup and teardown. @include common-session # Print the message of the day upon successful login. session optional pam_motd.so # [1] # Print the status of the user's mailbox upon successful login. session optional pam_mail.so standard noenv # [1] # Set up user limits from /etc/security/limits.conf. session required pam_limits.so # Set up SELinux capabilities (need modified pam) session required pam_selinux.so multiple # Standard Unx password updating. @include common-password 6) /etc/pam.d/common-auth: # # /etc/pam.d/common-auth - authentication settings common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authentication modules that define # the central authentication scheme for use on the system # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the # traditional Unix authentication mechanisms. # auth required pam_unix.so try_first_pass nullok_secure debug

Yubico Forum https://forum.yubico.com/

Yubikey, SSH and debian https://forum.yubico.com/viewtopic.php?f=4&t=191	Page 1 of 2

Author:	timm_tem [ Fri Oct 03, 2008 10:29 am ]
Post subject:	Re: Yubikey, SSH and debian
Thank you again the Image is avaliable at http://temsc.co.uk/uploads/Clone_of_Yubikey-PAM.zip The passwords are root:yubikey and timm:yubikey1234 Thank you again I have no more ideas Tim

Author:	timm_tem [ Fri Oct 03, 2008 10:47 am ]
Post subject:	Re: Yubikey, SSH and debian
I did find one difference in my /etc/pam.d/sshd to yours Code: # Standard Unx authorization. @include common-account In mine was commented out but I uncommented it but still no luck. The error I get every time is.... not sure if this is relevant the "Using keyboard-interactive authentication" Code:* debian:/home/timm# login as: timm Using keyboard-interactive authentication. Password: Access denied Thank you again Tim

Author:	timm_tem [ Fri Oct 03, 2008 10:55 am ]
Post subject:	Re: Yubikey, SSH and debian
timm_tem wrote: l ... I used putty to ssh to my Yubikey test box Password: (enter 'password' and touch the hgfujcchbnjg yubikey) ... Tim So I just wanted also to clarify this bit I type my username press enter then type my password press the yubikey and then the yubikey as such pressed enter on the password line for me? do I understand this correctly? is it not possible to have the username the password then the yubikey as 3 separate things? just for clarity in nothing else? Thank you in advanced Tim

Author:	network-marvels [ Fri Oct 03, 2008 4:34 pm ]
Post subject:	Re: Yubikey, SSH and debian
We have downloaded the VMware image uploaded by you. There was a small configuration issue. Please follow these steps to fix the issue: 1) Copy the pam_yubico.so module from “/usr/local/lib/security” to “/lib/security” 2) Edit the sshd configuration file “/etc/ssh/sshd_config” to disable challenge-response passwords. Change “challenge-response passwords yes” to “challenge-response passwords no” from line 47 of “/etc/ssh/sshd_config” Thanks for pointing out this issue! This has helped us to generalize Yubico PAM module configuration to work on more Linux flavors. We will update the Yubico PAM configuration document on the Google Code site to reflect these changes.

Author:	timm_tem [ Fri Oct 03, 2008 4:57 pm ]
Post subject:	Re: Yubikey, SSH and debian
Thank you for all you help!! Its greatly appriciated as it can be hard to find help! Also glad that I could be of help to further the project! network-marvels wrote: 1) Copy the pam_yubico.so module from “/usr/local/lib/security” to “/lib/security” 2) Edit the sshd configuration file “/etc/ssh/sshd_config” to disable challenge-response passwords. Change “challenge-response passwords yes” to “challenge-response passwords no” from line 47 of “/etc/ssh/sshd_config” interesting that the “challenge-response passwords” is now set to no as the only reason I changed it was because it was something I had to do to get this to work before!? But I am glad we have a fix! Thank you again Tim

Page 1 of 2	All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/