I believe the Passwords are the biggest security problem facing public computing and YubiKey is the answer. A password is often the only thing between your stuff and the people who want to steal your stuff. Passwords fall victim to all sorts attacks. This little device acts like a USB keyboard. Each time you press the button it generates a thirty two charter one-time-password (OTP) password.
There are all kinds of instructions for installing a Yubikey. Most are very confusing or miss a step. I hope this makes it simple for you. All you really need these days are the rpms from the epel repository. Note the release /5/ and system type /i386/. I you have a different system you will need to get the right epel code. For example, the file for Redhat 6 x64 is http://download.fedora.redhat.com/pub/epel/6/x86_64/epel-release-6-5.noarch.rpm.
rpm -i epel-release-5-4.noarch.rpm
yum install libyubikey
yum install pam_yubico
auth required pam_yubico.so id=#### debug authfile=/etc/sysconfig/yubikey
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so
For more information on pam_yubico.so settings, see the project Wiki page.
Here are the parameters we are using.
"id": to indicate your client identity.
"key": to indicate your client key in base64 format.
"debug": to enable debug output to stdout or
/var/run/pam-debug.log if it exists.
"authfile": to indicate the location of the file that holds the
mappings of yubikey token IDs to user names.
Create a /etc/sysconfig/yubikey This file must contain a user name and the yubikey token ID separated by colons (same format as the passwd file) for each user you want to allow onto the system using a yubikey.
The mappings should look like this, one per line:
Individual, by user
Each user creates a ~/.yubico/authorized_yubikeys file inside of their home directory and places the mapping in that file, the file must have only one line:
<user name>:<yubikey token ID>:<yubikey token ID>
To debug the process you can create a log file. Don’t forget to remove this and the debug word from /etc/pam.d/sshd when you are done.
chmod go+w /var/run/pam-debug.log
Now you can tail the log file and try logging in.
tail -f /var/run/pam-debug.log &
ssh -l root localhost
Try logging in with a password only and the yubikey only. Then try password+yubikey.
Please email me if you have any troubles.