Yubico Forum

Some descriptions of the term:

The magic number 16, AKA Client ID

In /etc/pam.d/sshd


the id variable is your Client ID. To get hold of the Client ID I needed to login to the Yubikey Managing System/YMS hosted by Yubico at URL https://api.yubico.com/yms/yubi_login.php.

Strip the Client- text from the ClientID and use that number in place of 16.


Getting access to Yubikey Management System:
To actually be able to login to the YMS system I needed to email yms@yubico.com, with detailed information of the purchase of my Yubikey + two sequentallly generated One Time Passwords (OTP) using the same e-mail address I used when I purchased my Yubikey

Once there, the client ID is displayed at the title bar as highlighted in the attached image.



The yubikey id file
In the file /etc/yubikeyid you define your system user-name you use which you use when normally logging in. The code after the colon-sign is the first 12 characters of your Yubikey One Time password



Actually logging in to the SSH server
After all configurations are done you may to restart the SSH server. On my debian machine I used sudo /etc/init.d/ssh restart

After all that was done I logged in with
ssh username@hostname

Please observe that when SSH asked me for password, you need to first enter your regular password and then press the button on the Yubikey device. For the longest time I only used the OTP to try to authenticate, which got me a permission denied reply.



Debugging
To see if if the PAM module is working correctly and you have debug enabled in /etc/pam.d/sshd you might want to create a world writable log file


After a login attempt:

After everything is good I would remove the debug from the /etc/pam.d/sshd file and restart SSH

If a single person is helped by this post, then I am very happy... For it has been a quite enfuriating experience to not realize that you need to enter the regular password and the OTP from Yubikey.

I found your post very useful.

Eventually, I found my problem corrected by doing the following to my CentOS vmware image:


Thanks!

I followed the above instructions, as well as the wiki article on how to set up Yubikey PAM for SSH and have a fully working system.

I have issued myself and 2 other users with Yubikeys, all of us having sudo on our machines. However, for regular users I don't want to give them Yubikeys, they should just be able to login with their username and password.

Unfortunately, I have found that users without Yubikeys cannot login, i.e. if they aren't in the /etc/yubikeyid file, they can't login.

Is there any way around this?

Thanks

Yubico PAM module does not currently support selective two or single factor authentication based on specific user IDs (only two factor authentication is supported for all users). Supporting this functionality is currently on Yubico's roadmap.

However, if you can make some simple changes to the Yubico PAM module then it would be possible to use the same Yubico PAM module to authenticate selective users based on Yubikey bindings i.e. if a user has YubiKey assigned, then it would require 2 factor auth. otherwise only user name and password will be sufficient to authenticate.

The changes are needed to be made in the logic where the Yubico PAM module looks for the YubiKey ID and Username binding. If no YubiKey ID and Username binding found for a user, then the Yubico PAM module should skip all checks and send the success signal to the underlying PAM modules.

We hope this helps!

Hi there,

Based on your suggestion I've created a patch for pam_yubico.c

Changelog

• Added a check_user_in_auth_file function which is just check_user_token but with only the username checking, no token checking. This is called near the beginning of pam_sm_authenticate.
• Moved user auth file path code from authorize_user_token to a new function get_userfile. This was so I could reuse it in check_user_in_auth_file.

New code in pam_sm_authenticate


New functions in pam_yubico


I've tested this with the /etc/ authfile and it works as expected, though I've not tested with the user auth file - as far as I can see though the code should work for that.

Patch against latest version in the pam_yubico SVN is attached in a tar.gz (won't let me attach txt files, disallowed in phpBB config).

Just noticed an errant line in the above code.



should just be



Copy & paste oversight...

Thank you for creating the Patch! We appreciate your efforts to make the Yubico PAM more robust and useful!

The process to generate a Client ID has changed since Jonix's entry above regarding YMS. Shamelessly copy-and-pasted from my reply this morning from yubico, this is the procedure you need to follow to generate a Client ID currently:

The Client ID aka Auth_ID is required for API Key. The API key is a symmetric key aimed at protecting the communication (creating a hash signature) on packets between the client and the Yubico Online Validation Service. When generating the key an API ID (also called a Client ID) is also generated at the same time and this ID is sent by the client to the server in the authentication request and acts as a reference for the Validation Service to find the right API key in the database to create a signature when sending the authentication (response) result back to the to the (dot net) client.

The key is simply generated from any YubiKey that you have. Follow the link https://upgrade.yubico.com/getapikey/ and enter a valid email address (mainly used as an internal reference in the database) and an OTP from one of the YubiKeys you received. The result page will show the generated Client ID (API ID) and the generated API key (Secret Key). Make a record of both and use these two values in corresponding libraries and modules. Wait 5 to 10 minutes after generating the key before testing so that the API key will be updated on all the servers in the Yubico Online Validation Service backend.

Hope this helps

Jim