I believe the Passwords are the biggest security problem facing public computing and YubiKey is the answer. A password is often the only thing between your stuff and the people who want to steal your stuff. Passwords fall victim to all sorts attacks. This little device acts like a USB keyboard. Each time you press the button it generates a thirty two charter one-time-password (OTP) password.
There are all kinds of instructions for installing a Yubikey. Most are very confusing or miss a step. I hope this makes it simple for you. All you really need these days are the rpms from the epel repository. Note the release /5/ and system type /i386/. I you have a different system you will need to get the right epel code. For example, the file for Redhat 6 x64 is http://download.fedora.redhat.com/pub/epel/6/x86_64/epel-release-6-5.noarch.rpm.
wget http://download.fedora.redhat.com/pub/epel/5/i386/epel-release-5-4.noarch.rpm rpm -i epel-release-5-4.noarch.rpm
yum install libyubikey
yum install pam_yubico
vi /etc/pam.d/sshd #%PAM-1.0 auth required pam_yubico.so id=#### debug authfile=/etc/sysconfig/yubikey auth include system-auth account required pam_nologin.so account include system-auth password include system-auth session optional pam_keyinit.so force revoke session include system-auth session required pam_loginuid.so
For more information on pam_yubico.so settings, see the project Wiki page.
Here are the parameters we are using.
"id": to indicate your client identity. "key": to indicate your client key in base64 format. "debug": to enable debug output to stdout or /var/run/pam-debug.log if it exists. "authfile": to indicate the location of the file that holds the mappings of yubikey token IDs to user names.
Create a /etc/sysconfig/yubikey This file must contain a user name and the yubikey token ID separated by colons (same format as the passwd file) for each user you want to allow onto the system using a yubikey.
The mappings should look like this, one per line:
#<username>:<yubikey_id>:<yubikey_id>:... root:ccccccxhi:cccccczws mark:ccccccisu
Individual, by user
Each user creates a ~/.yubico/authorized_yubikeys file inside of their home directory and places the mapping in that file, the file must have only one line:
<user name>:<yubikey token ID>:<yubikey token ID>
To debug the process you can create a log file. Don’t forget to remove this and the debug word from /etc/pam.d/sshd when you are done.
touch /var/run/pam-debug.log chmod go+w /var/run/pam-debug.log
Now you can tail the log file and try logging in.
tail -f /var/run/pam-debug.log & ssh -l root localhost
Try logging in with a password only and the yubikey only. Then try password+yubikey.
Please email me if you have any troubles.