Yubico Forum
https://forum.yubico.com/

OpenSSH solution without PAM nor remote API
https://forum.yubico.com/viewtopic.php?f=3&t=860
Page 1 of 1

Author:  unicycle1 [ Thu Sep 06, 2012 3:55 am ]
Post subject:  OpenSSH solution without PAM nor remote API

Most of the code I see everywhere is meant for Linux, sometimes OpenBSD but I hardly ever see any FreeBSD examples.
Pretty much everything I see fails, for various reasons, not just autoconf 1.12, so I had to come up with an alternative.
I've seen a couple of ForceCommand variants, but they all depend on a working connection to a remote API and again software that doesn't compile.
Now thanks to Phil Massyn (out here on these fora) there is a useful Perl module: Auth::Yubikey_Decrypter
Then in the FreeBSD ports I found p5-Auth-YubikeyDecrypter, which I've used in a perl script, that also checks for replay attacks.

My solutions is relative simple/compact, and involves:

- /home/john/.ssh/yubikey
- /home/john/.ssh/yubikey_count
- /etc/ssh/sshd_config
- /etc/ssh/yubikey.sh
- /etc/ssh/yubikey.pl


/home/john/.ssh/yubikey contains the private id, a delimiter, and the aes
Code:
1d1d1d1d1d1d:ae5ae5ae5ae5ae5ae5ae5ae5ae5aeetc

/home/john/.ssh/yubikey_count contains the counter against replay attacks
Code:
0

/etc/ssh/sshd_config with the ForceCommand
Code:
AllowUsers root@192.168.0.37 john
PermitRootLogin yes
MaxAuthTries 3   
UseDNS no

Match User john # ...or Match Group ykusers
   X11Forwarding no
   AllowTcpForwarding no
   ForceCommand /etc/ssh/yubikey.sh

the yubikey.sh script that above config refers to:
Code:
#!/bin/sh

# MIND: further on this script uses OTP's of 44 chars;
# but this could be different in your customized OTP's
# Some OS's `read` command have delimiter options - for example 44 chars :)

trap disconnect INT
disconnect() {
  kill -9 $PPID
  exit 1
  }

# stty -echo # uncomment this (and below) if you prefer to hide the public ID
read -p "OTP: " -t 15 OTP_INPUT
# stty echo  # sometimes `read` has -s (silent)
echo; echo   # cosmetics

OTP=$(echo "$OTP_INPUT" | tr -c -d a-z)
if [ $? == 0 ] && [ ${#OTP} == 44 ]; then
  CNT=`cat .ssh/yubikey_count`
  NEW=`perl -T -- /etc/ssh/yubikey.pl $OTP $CNT`
  if [ $? == 0 ]; then
    echo $NEW > .ssh/yubikey_count
  # clear
    login -f $USER
    disconnect
  fi
fi

echo "invalid OTP" > /dev/stderr
disconnect

the yubikey.pl code that the perl command in above script executes
Code:
use strict;
use Auth::Yubikey_Decrypter;

# get values
open (FILE, "<", ".ssh/yubikey") or die "Could not open yubikey file.\n";
my @line = <FILE>;
chomp $line[0];
my @ykdata = split ":" , $line[0];
close FILE or die $!;

# decrypt:
my ($publicID,$secretid_hex,$counter_dec,$timestamp_dec,$session_use_dec,$random_dec,$crc_dec,$crc_ok) =
    Auth::Yubikey_Decrypter::yubikey_decrypt($ARGV[0],$ykdata[1]);

# prepare to check replay attacks
my $ctr32 = (($counter_dec & 0x7fff) << 8) + $session_use_dec;

# validate:
if ( $ykdata[0] eq $secretid_hex && $crc_ok == 1 && $ctr32 > $ARGV[1] ) {
  print $ctr32;
  exit 0;
  }

exit 1;

Now...
chmod 744 /etc/ssh/yubikey.*
/etc/rc.d/sshd reload
...and do NOT logout, but see if all of the above works well by initiating a new session as user "john".
This hopefully work for most *nix flavors.

Yes, it's also another of the same, still; let me know if you think it can be improved, or have a good argument you think this method is useless, or maybe is better than PAM.
One improvement would be having the yubikey data/count files not in the user directories.
Another to have it working without perl, but all in sh or csh or maybe even a C binary that does the same.

Author:  Klas [ Fri Sep 07, 2012 7:17 am ]
Post subject:  Re: OpenSSH solution without PAM nor remote API

Hello,

Interesting solution!
We have a (maybe not expressed) goal that all our opensource software should be portable. If you let us know about concrete cases where the software fails on FreeBSD we'll look into fixing those issues. Either let us know here on the forums or in the issue tracker on github/google code.

/klas

Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/