Hi!
Today I will show you how to use the yubikey and set up authentication on CentOS 7 from scratch.
I have bought a yubikey 2 standard and will configure it to be used as OTP device when logging on via SSH. This is very cheap solution which offers a high level of security for home users.
The system I am using has just been installed and it is standard CentOS 7 with just default selections when installing. System is also updated and current to this day.
|
1 2 3 4 |
[root@localhost ~]# uname -a Linux localhost.localdomain 3.10.0-229.el7.x86_64 #1 SMP Fri Mar 6 11:36:42 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux [root@localhost ~]# cat /etc/redhat-release CentOS Linux release 7.1.1503 (Core) |
Let’s start!
1.
Begin by installing some packages
|
1 2 3 4 5 6 7 8 9 |
yum group install "Development Tools" -y yum install git -y yum install epel-release -y yum install perl-LDAP -y yum install pam-devel -y yum install libcurl-devel -y yum install help2man -y yum install ykpers -y yum install ykpers-devel -y |
2.
Clone the yubico-c library and install it.
|
1 2 3 4 5 6 |
git clone git://github.com/Yubico/yubico-c.git cd yubico-c autoreconf --install ./configure make check sudo make install |
If you get the error messsage
|
1 2 3 4 5 6 |
WARNING: 'a2x' is missing on your system. You might have modified some files without having the proper tools for further handling them. Check the 'README' file, it often tells you about the needed prerequisites for installing this package. You may also peek at any GNU archive site, in case some other package contains this missing 'a2x' program. |
You need to install asciidoc
|
1 |
yum install asciidoc |
3.
Clone the yubikey-personalization library and install it
|
1 2 3 4 5 |
git clone git://github.com/Yubico/yubikey-personalization.git cd yubikey-personalization autoreconf --install ./configure make check install |
3.
Clone the yubico-c-client and install it
|
1 2 3 4 5 6 |
git clone git://github.com/Yubico/yubico-c-client.git cd yubico-c-client autoreconf --install ./configure make check sudo make install |
4.
Clone the yubico-pam module and install it
|
1 2 3 4 5 |
git clone https://github.com/Yubico/yubico-pam.git cd yubico-pam autoreconf --install ./configure make check install |
5.
Fix the symlink for the pam module
|
1 |
ln -s /usr/local/lib/security/pam_yubico.so /usr/lib64/security/pam_yubico.so |
NOTE! Before you continue, this is where you can lock yourself out and create a box that is not accessible. You should be logged on with root on another terminal so that you can revert back if it does not work. Console access will still work, so if you use KVM or something similar, you should be able to access it through that.
Start by making sure your yubikey is configured as shown in this guide:
YubiKey YubiCloud Configuration
You should also make sure that the OTP function is working by going here after you have configured it:
https://demo.yubico.com/
Your server will need to be able to contact the yubikey API service to validate the auth, so make sure you have internet connection to the box as well.
When it is working, move on!
6.
Change SELinux to run in permissive mode. People have been reporting issues with SELinux and yubikey so I recommend that you put it in permissive mode. If you don’t want to spend a couple of hours troubleshooting.
Edit the file /etc/sysconfig/selinux and set the parameter SELINUX to permissive as shown below.
|
1 2 3 4 5 6 7 8 9 10 11 |
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=permissive # SELINUXTYPE= can take one of three two values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted |
This will run at boot next time and change it to permissive. Now run the command to change mode to permissive in this session
|
1 |
setenforce 0 |
Get the status. You can see the row “Current mode”, should say “permissive”
|
1 2 3 4 5 6 7 8 9 10 |
[root@localhost test]# sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: permissive Mode from config file: permissive Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 28 |
7.
Create a user, I have picked the name ‘test’. Make sure you change the password as well.
|
1 2 |
useradd test passwd test |
8.
Edit the file /etc/pam.d/sshd
Make sure it contains the row:
|
1 |
auth required pam_yubico.so id=16 debug authfile=/etc/yubipasswd |
as seen below in the file:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
[root@localhost test]# cat /etc/pam.d/sshd #%PAM-1.0 auth required pam_yubico.so id=16 debug authfile=/etc/yubipasswd auth required pam_sepermit.so auth substack password-auth auth include postlogin account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session optional pam_keyinit.so force revoke session include password-auth session include postlogin |
9.
Crete the authfile mentioned above.
|
1 |
touch /etc/yubipasswd |
Add your user and yubikey id separated with ‘:’. This is how my /etc/yubipasswd file looks like:
|
1 2 |
root:xxyyxxxyyyxx test:xxyyxxxyyyxx |
Open a new terminal and login as test
ssh test@your-yubikey-configured-system
When you are promted for the password, write your password and press your yubikey so that it becomes one long string. Imagine:
[root@localhost test]# ssh test@localhost
test@localhost’s password: password + yubikey OTP token
The yubikey will press enter by default and this should log you on! Voila!
Other information
If you have multiple configurations on your yubikey, i.e Configuration Slot 1 and Slot 2 you may have used the wrong Slot. Slot 1 is pressed for 1 second and the other is above 2 seconds. (Or something like that). I use Configuration Slot 1 because then you dont have to press it for a longer period of time.
If you have installed a default CentOS 7 you probably do not need to change other SSH configuration files such as /etc/ssh/sshd_config
|
1 |
ChallengeResponseAuthentication no |
And /etc/pam.d/system-auth by adding “try_first_pass” to the row
|
1 |
auth sufficient pam_unix.so try_first_pass nullok |
You can also try installing the packages via epel repo. Packages are called:
|
1 2 3 |
libyubikey-devel.x86_64 : Development files for libyubikey ykclient.x86_64 : Yubikey management library and client ykpers.x86_64 : Yubikey personalization program |
The pam library I think you will have to install manually as previously shown.
Links related to this guide
https://demo.yubico.com/
http://www.yubico.com/wp-content/uploads/2013/07/YubiKey_YubiCloud_Configuration.pdf
https://developers.yubico.com/yubico-pam/Yubikey_and_SSH_via_PAM.html
https://developers.yubico.com/yubikey-personalization/
https://github.com/Yubico/yubico-pam#readme
Good luck!