I’m a huge fan of security by “Something You Have” in combination with “Something You Know”. A good example for web developers probably is their public/ private key pair they use to authenticate access via ssh to their web servers.
When I read about the Yubikey I immediatly wanted to use it to authenticate sudo access on my web server. I’ve been using my ssh agent to do that via pam-ssh-auth, but I can add a physical component to my authentication setup with a yubikey. Sounds compelling? Yes it does!
First I’m assuming you’ve got a yubikey, and a yubikey validation server which can be used to validate your yubikey. Yubico has free servers available which you need to register with, but you can also host them yourself because the software is open source.
Second I’m assuming you’re running an ubuntu based server. Let’s start by installing the yubico pam extension used for authentication:
$ sudo apt-get install libpam-yubico
Next, create a yubikey mapping file to map yubikey public identifiers to your physical users. Only the users listed in this file can authenticate their sudo using a yubikey. Other users with sudo privileges can use passwords just as before.
$ cat > /etc/yubikey_mappings <<EOF
administrator:aabbccddeeff
EOF
Here I’ve mapped the yubikey identified by aabbccddeeff to the user administrator.
Now let’s adjust the pam sudo configuration:
$ vim /etc/pam.d/sudo
Insert
auth sufficient pam_yubico.so id=<insert id> url=https://your.yubicloud.server.com/wsapi/2.0/verify?id=%d&otp=%s authfile=/etc/yubikey_mappings
just before the first line reading auth required …
You must replace <insert id> with your client-id from your yubico validation server in the above example. Also make sure to replace your.yubicloud.server.com with a real server address! Otherwise this will not work!
That’s about it - you can authenticate sudo using your yubikey: test it!
$ ssh [email protected]
Welcome to Ubuntu 12.04.1 LTS (GNU/Linux 3.2.0-33-generic x86_64)
* Documentation: https://help.ubuntu.com/
Last login: Sat Dec 8 12:01:26 2012 from 235-47-142-46.pool.kielnet.net
[email protected]:~$ sudo -i
Yubikey for `administrator': # press on your yubikey
[email protected]:~# logout
The good parts
- Never look up your root-password again - unless you’ve lost or destroyed your yubikey.
- You can add Yubikey based authentication to your web apps - great for internal-use applications!
The bad parts
- A yubikey costs $ 25 per piece. For now that’s a one-time investment, but I do not know about their durability.
- Maintenance - if you decide to host the validation server yourself you’ll have to administrate those as well.
Q/A
Q. Where to find my yubico client id?
A. I’ve not found a way to determine the client ID from the yubico cloud servers. That’s why I’ve hosted the entire stack myself. It’s straight forward using the documentation available at github.
Q. What’s my yubikey public identifier?
A. It’s the first 12 characters from your Yubikeys OTP string.
Q. It’s not working!
A. Add debug to the line in /etc/pam.d/sudo and tail the syslog for authentication informations. Connect the dots.