Pilot service for Yubikey two-factor authentication

December 12, 2014

Towards two-factor Yubikey authentication with OpenSSH

Filed under: Pilot service for Yubikey two-factor authentication — idurkacz @ 5:21 pm
Tags: , ,

Our overall strategy for a test OpenSSH service using two-factor authentication via Yubikey is now clear:

  1. Integrate Yubico’s PAM module into the PAM stack used for our ssh service.
  2. Configure that PAM module to authenticate against the Yubicloud service.
  3. Organize our configuration so that only those users who are registered (somehow …) for Yubikey use are required to submit a Yubikey OTP.

Since we definitely don’t want to mandate Yubikey use for every user, how can we arrange this final (very necessary) requirement? It turns out that the (previously unknown to me) pam_succeed_if module can help. That allows an ‘if test’ which tests for group and/or netgroup membership to be arranged in the PAM stack. So, what we need to do is to instantiate a suitable group (or netgroup) which contains the UUNs of all those users registered for Yubikey use.

To keep things as simple as possible for testing, we’ve chosen to set that up for now as a group, called yubikeyusers. (We’ll almost certainly use a netgroup in any final live implementation.) The relevant lines of the resulting PAM configuration are as follows:

 
auth	[success=ignore ignore=ignore default=1]	/lib64/security/pam_succeed_if.so	debug user ingroup yubikeyusers 
auth	required	/lib64/security/pam_yubico.so	id=<secret> key=<secret> authfile=/etc/yubikey_mappings debug 

Some notes about the parameters to the Yubico PAM module pam_yubico.so:

  1. We’ve got debugging turned on for this module so that we can get detailed output from the authentication process. For that to work as expected, it’s necessary to ‘touch’ the nominated log file in advance:
    touch /var/run/pam-debug.log
    chmod go+w /var/run/pam-debug.log
    
  2. The <secret> strings are our private keys for use with the Yubicloud service. Such keys are freely available from Yubico.
  3. The file /etc/yubikey_mappings contains the mappings of Yubikey public ids to local UUNs. That is: it formally associates actual Yubikeys with actual users. (An individual user can be associated with more than one Yubikey, by the way.) In a final live system, we’d expect to integrate that same information into our LDAP directory: Yubico’s PAM module can read from that.

Theme: Rubric.