Centos/Fedora install yubico-pam for yubikey 2 factor SSH authentication
I recently bought a yubikey to play around with as a two factor authentication method for VPNs.
Easy – The YubiKey is placed in the USB port. The YubiKey is recognized as a USB keyboard so it works on all computers, platforms and browsers with no client software needed (Windows, Linux, Mac, iPad, Firefox, Chrome, etc.). With a simple touch on the YubiKey, it automatically generates and enters a unique identity and One-Time Password (OTP).
Whilst reading up on them I found that Fedora/Centos already have PAM packages in the repository to enable authentication with yubikeys 🙂
The following was done on a Centos 6 box but it was also tested on a fedora 15 server.
Install the package:
yum install pam_yubico
Create a yubikey group and add a user:
groupadd yubikey usermod -G yubikey m00nie
Check the user is part of the yubikey group:
root@Centos6:~# groups m00nie m00nie : m00nie yubikey
Now we need to edit the PAM config to use yubikey auth. Edit the /etc/pam.d/system-auth and add the following lines to the beggining of the file. The first line allows per user use of yubikeys based on the user being part of the yubikey group (If you are on Centos 6.5 this will be the file /etc/pam.d/sshd instead of /etc/pam.d/system-auth Thanks go to Chris below) 🙂
# Check if user is in yubikey group and if not pass to next method auth [success=1 default=ignore] pam_succeed_if.so quiet user notingroup yubikey # Check against the mapping file auth required pam_yubico.so id=16 authfile=/etc/yubi_mappings
Now we need to add the user – yubikey mappings to the file /etc/yubi_mappings so open that with your favourite editor (note a user can have more than one yubikey id assigned to them)
# This file contains mappings of usernames to yubikey ids # Yubikey ID = OTP - last 32 characters # Syntax is # username:yubi id:another id:more ids:..... m00nie:12345678910l:111213141516:171819202122 p00nie:abcdefghijkl
To get the yubikey ID (from yubico-pam readme):
Obtaining the Yubikey token ID (a.k.a. public ID) ------------------------------------------------- You can obtain the Yubikey token ID in two places. One is by removing the last 32 characters of any OTP generated with your Yubikey, the other is by using the modhex calculator located here : <a href="http://radius.yubico.com/demo/Modhex_Calculator.php">http://radius.yubico.com/demo/Modhex_Calculator.php</a> Enter your Yubikey OTP and convert it, your Yubikey token ID is 12 digits and listed as: Modhex encoded: XXXXXXX
Now you should have a functioning two factor ssh config. Test by opening a new connection (keeping the current ssh connection logged in in case of any issues!). The syntax for entering your password is now password[press yubikey].