{"id":3535,"date":"2014-12-22T16:31:12","date_gmt":"2014-12-22T16:31:12","guid":{"rendered":"http:\/\/really.zonky.org\/?p=3535"},"modified":"2015-01-28T23:08:46","modified_gmt":"2015-01-28T23:08:46","slug":"tinkering-with-the-yubikey","status":"publish","type":"post","link":"https:\/\/really.zonky.org\/?p=3535","title":{"rendered":"Tinkering With The Yubikey"},"content":{"rendered":"

\n\tThis is a series of working notes on the Yubikey<\/a> which is an interesting device used to supplement passwords to make two-factor authentication easier. It is essentially a hardware security token device that pretends to your computer to be a keyboard and enters a one-time only password that can be used to verify your identity – much like a password, but much<\/em> more secure.\n<\/p>\n

\n\tWell perhaps "easier" only if someone does all the configuration for you, although I am inclined to look a bit deeper into such things for my own amusement. My own key is a Yubikey NEO, but much of what follows also applies to the other Yubikey models.\n<\/p>\n

\n\t\"\"\n<\/p>\n

\n\tObservations
\n<\/h2>\n

\n\tThis is the spot for observations on using the Yubikey over time.\n<\/p>\n

    \n
  1. \n\t\tFor some reason the Yubikey doesn't always "light up" on my workstation at work. It works fine at home – the green light always turns on ready for a key press – but at work it often seems to flicker and stay out. Not sure what causes this, but it always seems to be persistent when you really need to use it! \n\t<\/li>\n<\/ol>\n

    \n\tConfiguration
    \n<\/h2>\n

    \n\t… is to some extent unnecessary, but under Linux there are three bits of software that can be installed to configure additional features of the Yubikey :-\n<\/p>\n

      \n
    1. \n\t\tThe library: https:\/\/developers.yubico.com\/libykneomgr\/<\/a>\n\t<\/li>\n
    2. \n\t\tThe command-line tool: https:\/\/developers.yubico.com\/yubikey-personalization\/<\/a>\n\t<\/li>\n
    3. \n\t\tThe GUI: https:\/\/developers.yubico.com\/yubikey-personalization-gui\/<\/a>\n\t<\/li>\n<\/ol>\n

      \n\tAll three build easily from the instructions given. Just make sure to remember to copy the udev<\/i> rules from yubikey-personalization<\/em> to \/etc\/udev\/rules.d\/<\/em> and run udevadm trigger<\/em> to enable them. This will make sure you can access your yubikey as a console user, so you don't have to become root<\/em>.\n<\/p>\n

      \n\tEnabling Linux Authentication
      \n<\/h2>\n

      \n\tThis was all done with a Linux container (LXC), so it could be relatively easily thrown away and restarted. The first step was to install the relevant PAM module :-\n<\/p>\n

      \r\n# apt-get install libpam-yubico<\/pre>\n
      \n\tThis pulls in a ton of other required packages.\n<\/p>\n
      \n\tThe next is to grab the unchanging part of your Yubikey token. This is the first 12 characters of what you get when you activate it. Whilst you have it to hand, now would be a good time to create the mapping file – \/etc\/yubikey-mappings<\/em> :-\n<\/p>\n
      \r\n# Yubikey ID mappings\r\n# Format:\r\n#       user-id:yubikey-id:yubikey-id:...\r\n# (But usually only one)\r\nuser-id:ccccccsomeid\r\n<\/pre>\n
      \n\tNext step is to add a little something to one of the pam files. For testing (assuming you have console) access, the relevant file might be \/etc\/pam.d\/sshd<\/em> but once you have things working, \/etc\/pam.d\/common-auth<\/em> might be a better choice. Right at the top of the file add :-\n<\/p>\n
      \r\nauth       sufficient   pam_yubico.so debug id=16 authfile=\/etc\/yubikey-mappings\r\n#       Added for Yubikey authentication.\r\n<\/pre>\n
      \n\tBecause these things always have problems when you first try them, it makes sense to set up the debugging log :-\n<\/p>\n
      \r\ntouch \/var\/run\/pam-debug.log\r\nchmod a+w \/var\/run\/pam-debug.log\r\n<\/pre>\n
      \n\tAt this point, assuming everything works as expected :-\n<\/p>\n
        \n
      1. \n\t\tYou will be able to authenticate using ssh<\/em> using either your Yubikey, or your password.\n\t<\/li>\n
      2. \n\t\tThis assumes your server is able to communicate with the Yubi Cloud.\n\t<\/li>\n<\/ol>\n
        \n\tThere are further improvements to be made … and we'll get to those shortly.\n<\/p>\n
        \n\tBut That's Not Two-Factor Authentication!
        \n<\/h2>\n
        \n\tIndeed not, so we'll fix that right now.\n<\/p>\n
        \n\tFirstly remove<\/em> the line we previously added to \/etc\/pam.d\/sshd<\/em>; because of the way that Debian configures pam, it is less disruptive (i.e. fewer changes) to make the change to \/etc\/pam.d\/common-auth<\/em> :-\n<\/p>\n
        \r\nauth       requisite     pam_yubico.so id=16 debug authfile=\/etc\/yubikey-mappings\r\n#       Yubikey configuration added.\r\nauth    [success=1 default=ignore]      pam_unix.so nullok_secure use_first_pass\r\n<\/pre>\n
        \n\tBut before restarting sshd<\/em> (you have been doing that haven't you?), you will need to add a Yubikey ID to \/etc\/yubikey-mappings<\/em> for the root<\/em> user.\n<\/p>\n
        \n\tAt this point, you will only be able to authenticate if you enter your username, followed by both your Unix password and<\/em> activate your Yubikey at the password prompt. Entering both at the same prompt is a little weird especially when you consider that there is no indications anywhere that Yubikey authentication is required.\n<\/p>\n
        \n\tBut we can fix that. First of all, one small change to common-auth<\/em> – remove the use_first_pass<\/em> phrase.\n<\/p>\n
        \n\tNext edit the file \/etc\/ssh\/sshd_config<\/em> and find the ChallengeResponseAuthentication<\/em> phrase and set to "Yes" :-\n<\/p>\n
        \r\nChallengeResponseAuthentication yes\r\n<\/pre>\n
        \n\tAnd after a quick reboot, the log in process works in a sensible way :-\n<\/p>\n
        \r\n» ssh chagers\r\nYubikey for `mike': (Press YubiKey)<\/strong>\r\nPassword: (Enter Unix password)<\/strong>\r\nLinux chagers 3.14-0.bpo.1-amd64 #1 SMP Debian 3.14.12-1~bpo70+1 (2014-07-13) x86_64\r\n\r\nThe programs included with the Debian GNU\/Linux system are free software;\r\nthe exact distribution terms for each program are described in the\r\nindividual files in \/usr\/share\/doc\/*\/copyright.\r\n\r\nDebian GNU\/Linux comes with ABSOLUTELY NO WARRANTY, to the extent\r\npermitted by applicable law.\r\nLast login: Wed Dec 31 15:37:05 2014\r\n...\r\n<\/pre><\/pre>\n","protected":false},"excerpt":{"rendered":"
        This is a series of working notes on the Yubikey which is an interesting device used to supplement passwords to make two-factor authentication easier. It is essentially a hardware security token device that pretends to your computer to be a keyboard and enters a one-time only password that can be used to verify your identity […]<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2},"_share_on_mastodon":"0"},"categories":[4,226],"tags":[1017,780,1274],"class_list":["post-3535","post","type-post","status-publish","format-standard","hentry","category-it","category-working-notes","tag-debian","tag-ssh","tag-yubikey","category-4-id","category-226-id","post-seq-1","post-parity-odd","meta-position-corners","fix"],"share_on_mastodon":{"url":"","error":""},"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p1f2KI-V1","_links":{"self":[{"href":"https:\/\/really.zonky.org\/index.php?rest_route=\/wp\/v2\/posts\/3535","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/really.zonky.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/really.zonky.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/really.zonky.org\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/really.zonky.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3535"}],"version-history":[{"count":8,"href":"https:\/\/really.zonky.org\/index.php?rest_route=\/wp\/v2\/posts\/3535\/revisions"}],"predecessor-version":[{"id":3602,"href":"https:\/\/really.zonky.org\/index.php?rest_route=\/wp\/v2\/posts\/3535\/revisions\/3602"}],"wp:attachment":[{"href":"https:\/\/really.zonky.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3535"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/really.zonky.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3535"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/really.zonky.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3535"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}