In a previous article, I presented the Yubikey product. I also explained why, for security reasons, the usage of two separate Yubikeys could be a plus. One converted to provide a static password and the second left as is (to provide one-time passwords).
I received my 2nd Yubikey a few days ago (Benny, one more time, thanks!). I started to play with OTP (“One Time Password“) and integrated the Yubikey with my Linux laptop.
Before the details of the integration, let’s review how authentication is performed on Linux (all well-known distributions use the same mechanism). Linux performs authentication and accounting via PAM (“Pluggable Authentication Module“). PAM is a mechanism to propose several authentication methods to applications via an API. If your application is PAM aware, it can use all available modules (one module == one authentication mechanism) like: UNIX passwords, RSA, Kerberos or a lot of alternative methods (sometimes more exotic like X509 certificates).
If an application is compatible with PAM, when a users must be authenticated, it will look (reading configuration files in /etc/pam.d) for available modules (at operating system level, modules are similar to dynamically linked libraries (.so files)). Authentication methods can be mixed and defined as “sufficient”, “required” or “optional”. If you’re interested in PAM, a lot of information is available online (example: Wikepedia).
Now, back to the Yubikey. A PAM module has been developed to support our new toy: Yubico-PAM. But this module has a major constraint: it requires an online system to authenticate the user (it uses the Yubico authentication server).
Fortunately, there is an alternative! Another PAM implementation proposed by SecurixLive: YubiPAM. This one works offline (not network connectivity at all) but being offline causes extra information to be available: the Yubikey AES code must be known and stored in a local database. Of course this local DB is also encrypted to protect the stored keys.
The first step is to get your Yubikey AES code! How? The easy way is to use the tool provided by Yubico to change the key. But this causes a major problem: once the AES key changed, your Yubikey won’t be usable for online services anymore. This is clearly announced by Yubico in a warning:
“WARNING! By re-initializing your YubiKey (either by manually programming a new AES key in the Yubikey or programming the Yubikey for static PW), you will lose ALL abilities to use that particular YubiKey against Yubico online severs – validation server, YubiKey management service, Yubico forum, demo server, OpenID server and so on. Customers are advised to consider using separate YubiKeys for use in Static Password Mode or for development and testing purposes.”
The second method is to ask the key to Yubico. They provide good support (thanks guys!). The procedure is quite simple: Send an e-mail (address available via the Yubico contact page) and provide two OTP and your Paypal transaction ID. They will give you access to the YMS (“Yubico Management Service“) where you’ll be able to manage your keys and retrieve the precious AES key!
We have now the basic components: a valid Yubikey, its AES key. Let’s install the software. It’s pretty straight forward. Note that some steps are not performed via the Makefile. They must be done manually (read the provided documentation for details).
# cd /usr/local/src # wget http://www.securixlive.com/download/yubipam/YubiPAM-1.0.4.tar.gz # tar xzvf YubiPAM-1.0.4.tar.gz # cd YubiPAM-1.0.4 # ./configure # make install # addgroup yubiauth # touch /etc/yubikey # chgrp yubiauth /etc/yubikey /sbin/yk_chkpwd # chmod g+rw /etc/yubikey # chmod g+s /sbin/yk_chkpwd
Now, let’s link the Yubikey to our existing account (or make a specific one if you’re scared)
# ykpasswd -a --user <USER> -k <AESkey> -o <OTP>
The AES key is your AES key in hexadecimal (disclosed by the YMS portal). OTP is just a one-time password generated by your Yubikey. Once done, check it:
# ykvalidate --user <USER> <OTP> OTP is VALID.
Finally, the PAM configuration must be adapted to take care of the newly installed module (/lib/security/pam_yubikey.so). In all recent Linux distributions (Ubuntu, CentOS and Fedora work like this), there is only one file to change: /etc/pam.d/common-auth. Just add the following lines above the others:
auth sufficient pam_yubikey.so
Please be sure that the module pam_yubikey.so is present in /lib/security (or /lib64/security if you run a 64 bits system). The new line specify that an OTP from a valid Yubikey is enough to authenticate (“sufficient”). If no Yubikey authentication is performed, PAM will fall back to the other methods (usually based on the standard UNIX password).
Security Note: The current version of YubiPAM does NOT provide a strong authentication mechanism. Your login and OTP are enough to authenticate you. Please manage your Yubikey physical security in the right way! Don’t keep it near your workstation!
The PAM module interacts without problems with the following Linux components:
- Gnome screen-saver
- Gnome administrative password interface
This PAM module works very well but suffer from the single-factor authentication! The authors of YubiPAM said in the release notes that support of two-authentication (OTP + PIN as example) should be available soon.