Open main menu

Linux and Unix Users Group at Virginia Teck Wiki β

Changes

Yubikey

6,950 bytes added, 04:43, 4 September 2014
Uniluug migration
<!The '''Yubikey''' is a [[w:security token|security token]], intended to be used for [[w:Two-factor authentication|two-factor authentication]], that emulates a keyboard to enter one-time passwords generated using an AES encryption key embedded on the device. There is also support for static passwords and [[w:HMAC|HMAC-SHA1]] challenge/response authentication. == PAM two-factor One-Time Password authentication =='''Note:''' Make sure you have at least one user that is able to login without a Yubikey; if you are not able to connect to the Internet, you will not be able to use your Yubikey. * Install [https://github.com/Yubico/yubico-pam pam_yubico] for your desired Linux distribution.* Create a '''yubikey''' group if one does not exist already: sudo groupadd yubikey* Add the users that you would like to authenticate to this group like this: sudo usermod - The rest of aG yubikey username* Each user must have a '''~/.yubico/authorized_yubikeys''' file for Yubikey authentication to work. You can create one like this page uses : mkdir .yubico chmod 0700 .yubico nano .yubico/authorized_yubikeysType your username, followed by a template from colon, then insert and press your Yubikey. Delete all but the Uniluug projectfirst 12 characters of your one time password generated by your Yubikey. For example, if your one-time password was ccccaaaabbbbddddeeeeffffgggghhhhbiiiijjjjkkkThen your file should look like username:ccccaaaabbbb Note that you can assign multiple Yubikeys to your account; please see simply separate the 12-character token IDs with colons, like so: username:ccccaaaabbbb:ccccfabhhhhh * Next, you will need to [https://uniluugupgrade.yubico.com/getapikey/ register for a Yubico API key]. Make note of the '''id''' and '''key''' as you will need them for the next step. * The next step depends on your distribution due to differing PAM configuration formats.** If you are on [[Debian]] or [[Ubuntu]], add the lines below to the top of '''/etc/pam.orgd/wikicommon-auth''' to enable Yubikey authentication for all applications that use PAM system authentication.** If you are on [[Arch Linux]], [[Fedora]], [[CentOS]], or [[Scientific Linux]], add the lines below to the top of '''/etc/pam.d/Templatesystem-auth''' to enable Yubikey authentication for all applications that use PAM system authentication. auth [success=1 default=ignore] pam_succeed_if.so quiet user notingroup yubikey auth required pam_yubico.so id=YUBI_ID key=YUBI_KEYReplace YUBI_ID with the ID and YUBI_KEY with the key you received in the previous step. ===Using an alternate keymap such as Dvorak===Add this section to your xorg configuration: Section "InputClass" Identifier "yubikey" MatchIsKeyboard "on" MatchVendor "Yubico" MatchProduct "Yubico Yubikey if II" Driver "evdev" Option "XkbRules" "evdev" Option "XkbModel" "pc105" Option "XkbLayout" "us" Option "XkbVariant" "basic" EndSection === SELinux ===If you are using [[SELinux]], you may experience problems with logging in from the console because '''/sbin/login''' is typically not permitted to make outgoing TCP connections. To fix this, you will need to add a SELinux exception; as root grep login /var/log/audit/audit.log | audit2allow -M pamyubico semodule -i pamyubico.pp === i3lock ===i3lock does not appear to currently have support for two-factor OTP authentication. You will need to customize '''/etc/pam.d/i3lock''' to set yubikey authentication to sufficient or you can remove it entirely. Otherwise, you may not be able to unlock your screen. === sshd ===If you wish would like to enable authentication over SSH using your Yubikey, edit '''/etc/ssh/sshd_config''' and make sure the following configuration settings are set: ChallengeResponseAuthentication yes PasswordAuthentication no UsePAM yesAfter editing the configuration, restart sshd. Unfortunately, you cannot use two-factor Yubikey authentication in combination with SSH public key authentication at the current time; you must pick one. == PAM two-factor HMAC-SHA1 authentication =='''Note:''' This will make use of slot 2 of your Yubikey. You cannot also use itto store a static password. HMAC-SHA1 authentication may be a better choice for Dvorak users or laptops that aren't guaranteed to have Internet access as authentication is done without keyboard emulation or Internet access. Most, but not all, programs are compatible with this method. Since this method requires direct hardware access, it will never be possible to use with ssh. * Install pam_yubico for your desired distribution. * Edit '''/etc/pam.d/system-auth''' (or '''/etc/pam. d/common-auth''', depending on your distribution) and place this at the top of the file: auth [success=1 default=ignore] pam_succeed_if.so quiet user notingroup yubikey auth required pam_yubico.so mode=challenge->response * Insert your Yubikey and run this command to program slot 2: sudo ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible {{raw* Create a '''yubikey''' group and add users you would like to authenticate using a Yubikey to it like this:u sudo groupadd yubikey sudo usermod -aG yubikey username * Run this command to set the current user up for Yubikey login: ykpamcfg -2 -vIf you get a permissions error, follow the instructions under i3lock below. * Finally, log out and attempt to log in. You will notice that you are prompted only for username and password, but Yubikey authentication is still taking place. To confirm, remove your Yubikeyand attempt to login. === i3lock === * Because /etc/pam.d/i3lock includes login, you can simply ensure that the yubikey line is included in this file.* Create the file '''/etc/udev/rules.d/90-yubikey.rules''' and place this in it: SUBSYSTEMS=="usb", ATTR{product}=="Yubico Yubikey II", MODE="0660", GROUP="yubikey"* Run <code>sudo udevadm control --reload</code> to restart udev and reload your rules.* Lock your computer with i3lock as you normally would. Your Yubikey will now be required along with your password to unlock your screen. == Automatic Screen Locking (i3lock, slock, etc.) == This locks the screen when the yubikey is removed. * Put this in '''/etc/udev/rules.d/90-yubikey.rules''' ATTR{product}!="Yubico Yubikey II", GOTO="yubikey_end" ACTION=="remove", RUN+="/usr/local/bin/ykgone" LABEL="yubikey_end"* Put this in /usr/local/bin/ykgone: #!/bin/bash if [ -z "$(lsusb | grep Yubikey)" ] ; then /bin/su yourusername -c /usr/local/bin/lock fiThe test is needed because the script is run whenever the yubikey is polled for challenge-response authentication (because this causes it to change modes from USB HID to serial and back again), and we only want to lock the screen when the key is actually removed. Note that if you have yubikey auth enabled in /etc/pam.d/su, it must come after <code>auth sufficient pam_rootok.so</code>.* Put your script to lock the screen in /usr/local/bin/lock. You must set DISPLAY=:0 to have the screen locker work correctly if you're not using a daemonized locker such as xscreensaver or gnome-screensaver. == External links ==* [http://yubico.com/ Yubico] 
[[Category:Howtos]]
Anonymous user