In a previous article, I presented the Yubikey product. I also explained why, for security reasons, the usage of two separate Yubikeys could be a plus. One converted to provide a static password and the second left as is (to provide one-time passwords).
I received my 2nd Yubikey a few days ago (Benny, one more time, thanks!). I started to play with OTP (“One Time Password“) and integrated the Yubikey with my Linux laptop.
Before the details of the integration, let’s review how authentication is performed on Linux (all well-known distributions use the same mechanism). Linux performs authentication and accounting via PAM (“Pluggable Authentication Module“). PAM is a mechanism to propose several authentication methods to applications via an API. If your application is PAM aware, it can use all available modules (one module == one authentication mechanism) like: UNIX passwords, RSA, Kerberos or a lot of alternative methods (sometimes more exotic like X509 certificates).
If an application is compatible with PAM, when a users must be authenticated, it will look (reading configuration files in /etc/pam.d) for available modules (at operating system level, modules are similar to dynamically linked libraries (.so files)). Authentication methods can be mixed and defined as “sufficient”, “required” or “optional”. If you’re interested in PAM, a lot of information is available online (example: Wikepedia).
Now, back to the Yubikey. A PAM module has been developed to support our new toy: Yubico-PAM. But this module has a major constraint: it requires an online system to authenticate the user (it uses the Yubico authentication server).
Fortunately, there is an alternative! Another PAM implementation proposed by SecurixLive: YubiPAM. This one works offline (not network connectivity at all) but being offline causes extra information to be available: the Yubikey AES code must be known and stored in a local database. Of course this local DB is also encrypted to protect the stored keys.
The first step is to get your Yubikey AES code! How? The easy way is to use the tool provided by Yubico to change the key. But this causes a major problem: once the AES key changed, your Yubikey won’t be usable for online services anymore. This is clearly announced by Yubico in a warning:
“WARNING! By re-initializing your YubiKey (either by manually programming a new AES key in the Yubikey or programming the Yubikey for static PW), you will lose ALL abilities to use that particular YubiKey against Yubico online severs – validation server, YubiKey management service, Yubico forum, demo server, OpenID server and so on. Customers are advised to consider using separate YubiKeys for use in Static Password Mode or for development and testing purposes.”
The second method is to ask the key to Yubico. They provide good support (thanks guys!). The procedure is quite simple: Send an e-mail (address available via the Yubico contact page) and provide two OTP and your Paypal transaction ID. They will give you access to the YMS (“Yubico Management Service“) where you’ll be able to manage your keys and retrieve the precious AES key!
We have now the basic components: a valid Yubikey, its AES key. Let’s install the software. It’s pretty straight forward. Note that some steps are not performed via the Makefile. They must be done manually (read the provided documentation for details).
# cd /usr/local/src # wget http://www.securixlive.com/download/yubipam/YubiPAM-1.0.4.tar.gz # tar xzvf YubiPAM-1.0.4.tar.gz # cd YubiPAM-1.0.4 # ./configure # make install # addgroup yubiauth # touch /etc/yubikey # chgrp yubiauth /etc/yubikey /sbin/yk_chkpwd # chmod g+rw /etc/yubikey # chmod g+s /sbin/yk_chkpwd
Now, let’s link the Yubikey to our existing account (or make a specific one if you’re scared)
# ykpasswd -a --user <USER> -k <AESkey> -o <OTP>
The AES key is your AES key in hexadecimal (disclosed by the YMS portal). OTP is just a one-time password generated by your Yubikey. Once done, check it:
# ykvalidate --user <USER> <OTP> OTP is VALID.
Finally, the PAM configuration must be adapted to take care of the newly installed module (/lib/security/pam_yubikey.so). In all recent Linux distributions (Ubuntu, CentOS and Fedora work like this), there is only one file to change: /etc/pam.d/common-auth. Just add the following lines above the others:
auth sufficient pam_yubikey.so
Please be sure that the module pam_yubikey.so is present in /lib/security (or /lib64/security if you run a 64 bits system). The new line specify that an OTP from a valid Yubikey is enough to authenticate (“sufficient”). If no Yubikey authentication is performed, PAM will fall back to the other methods (usually based on the standard UNIX password).
Security Note: The current version of YubiPAM does NOT provide a strong authentication mechanism. Your login and OTP are enough to authenticate you. Please manage your Yubikey physical security in the right way! Don’t keep it near your workstation!
The PAM module interacts without problems with the following Linux components:
- sshd
- sudo
- Gnome screen-saver
- Gnome administrative password interface
Now some goodies found on the Yubico forum: two little scripts for udev which will lock/unlock your Gnome session when you remove/insert your Yubikey from the USB port! Check out the little demo:
This PAM module works very well but suffer from the single-factor authentication! The authors of YubiPAM said in the release notes that support of two-authentication (OTP + PIN as example) should be available soon.
Thank you for this great article about Yubikey Login.
You can withdraw my last comment, or amend this update: I resolved the issue with a custom SELinux policy to allow login_t to write to the /etc/yubikey file.
Hmm… just tried this on Fedora 24, followed the instructions and get the prompt for my Yubikey OTP, but it then prompts for my password as well. Won’t complete login without it. I did use ‘sufficient’ and not ‘required’ in /etc/pam.d/login.
In GNOME 3 it seems working but it doesn’t. It asks for Yubikey OTP in login however, whether you provide correct OTP or not, login happens successfully, even if my yvalidation seperates correct OTPs and wrong ones..
So I got this all working… couldn’t get it to lock the screen saver on remove…. however i just did a test and I rebooted, entered my username, for the Yubikey OTP, i just hit enter, then i typed my normal login password and walla, i am in… 🙁
I want to be able to allow some users to require a yubikey to login and some dont’…..
Found it… and it works with login when at the station. However, ssh gives “connection refused” immediatly. There is no prompt for a user password.
I installed the “Tool” but I don’t see whereI get the AES key.
I’m using the Yubikey configuration Utilty (v 2.2.4), it allows me to overwrite the yubikey configuration, but nothing mentions anything about an AES key.
Where is that?
thanks
Hi jackalope,
If it does not work only for sshd, I’d consider reviewing your PAM configuration for this daemon!
I just got this setup, and everything is working as expected except for ssh. When I attempt to ssh between my desktop and laptop, I’m prompted for a password but not an OTP, and authentication fails with the correct password.
I get:
# ykvalidate –user
OTP is INVALID!
On Ubuntu 10.04, please help!
Oops… Dr John beat me and with more information.
Hi there. I just want to give an update that Yubico no longer offers the AES key from their website and has a new procedure for replacing the AES key yourself and then manually uploading the new key to their servers.
Received this from Yubico Support 26-Nov-2010: Thank you for contacting Yubico Support!In order to streamline the process for users who want to program their own AES keys in YubiKeys and still have a working key online we have changed the process of handling AES Keys at the online validation server.
Users are no longer able to copy or download their individual AES keys from the YMS server. Instead if you need access to the AES key, you will have to use a YubiKey programming tool (YubiKey Personalization tool) to program your own AES key into a YubiKey and then upload the same AES key(s) to the server (to be used online) using the following link:
http://www.yubico.com/developers/aeskeys/ The step by step instructions to upload the AES Key is available at the following forum link:http://forum.yubico.com/viewtopic.php?f=6&t=447&p=1928#p1928
“Security Note: The current version of YubiPAM does NOT provide a strong authentication mechanism. Your login and OTP are enough to authenticate you. Please manage your Yubikey physical security in the right way! Don’t keep it near your workstation!”
I think you’ll find this is actually pretty useful as is – you can use PAM chaining to enforce the second factor, and with a tweak of the chaining rules, you can also configure it to be valid if the account doesn’t have a yubikey against it. Sure, you can’t have a password per yubikey, but it’s still twofactor.