Two-factor SSH with YubiKey on CentOS 5.6

YubikeyI believe the Passwords are the biggest security problem facing public computing and YubiKey is the answer. A password is often the only thing between your stuff and the people who want to steal your stuff.  Passwords fall victim to all sorts attacks. This little device acts like a USB keyboard. Each time you press the button it generates a thirty two charter one-time-password (OTP) password.

There are all kinds of instructions for installing a Yubikey.  Most are very confusing or miss a step. I hope this makes it simple for you.   All you really need these days are the rpms from the epel repository.  Note the release /5/ and system type /i386/.  I you have a different system you will need to get the right epel code.  For example, the file for Redhat 6 x64 is http://download.fedora.redhat.com/pub/epel/6/x86_64/epel-release-6-5.noarch.rpm.

wget http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-4.noarch.rpm
rpm -i epel-release-5-4.noarch.rpm
yum install libyubikey
yum install pam_yubico
vi /etc/pam.d/sshd
#%PAM-1.0
auth       required   pam_yubico.so id=#### debug authfile=/etc/sysconfig/yubikey
auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    required     pam_loginuid.so

For more information on pam_yubico.so settings, see the project Wiki page.

Here are the parameters we are using.

  "id":         to indicate your client identity.

  "key":        to indicate your client key in base64 format.

  "debug":      to enable debug output to stdout or
                /var/run/pam-debug.log if it exists.

  "authfile":   to indicate the location of the file that holds the
                mappings of yubikey token IDs to user names.

Create a /etc/sysconfig/yubikey This file must contain a user name and the yubikey token ID separated by colons (same format as the passwd file) for each user you want to allow onto the system using a yubikey.

The mappings should look like this, one per line:

#<username>:<yubikey_id>:<yubikey_id>:...
root:ccccccxhi:cccccczws
mark:ccccccisu

Individual, by user

Each user creates a ~/.yubico/authorized_yubikeys file inside of their home directory and places the mapping in that file, the file must have only one line:

<user name>:<yubikey token ID>:<yubikey token ID>

To debug the process you can create a log file.  Don’t forget to remove this and the debug word from /etc/pam.d/sshd when you are done.

touch /var/run/pam-debug.log
chmod go+w /var/run/pam-debug.log

Now you can tail the log file and try logging in.

tail -f /var/run/pam-debug.log &
ssh -l root localhost

Try logging in with a password only and the yubikey only.  Then try password+yubikey.

Please email me if you have any troubles.

 

This entry was posted in Examples. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>