Never Ending Security

It starts all here

Set up Yubikey with PAM for OpenVPN, SSH and Squirrelmail

Yubikey and PAM for SSH:
If you’re using ArmHF or Armel you might experience a bug with the default libpam-yubikey packages:
See: https://bugs.launchpad.net/raspbian/+bug/1039577

If you have succesfully build the new package/fix and installed it, then it’s time to continue the setup for SSH:
1) you can create a global config or use a users own yubikey file, I choose the latter: mkdir /home/*username*/.yubico/ and create a file authorized_yubikeys
The context of this file should be:
username:*yubikey first 12 characters*:*next yubikey first 12 characters*
2) get an API key for the yubikey cloud solution to authenticate against: https://upgrade.yubico.com/getapikey/
3) remember the API key and add the following line to /etc/pam.d/sshd:
auth required pam_yubico.so id=*your API id number* key=*your API key* url=http://api.yubico.com/wsapi/2.0/verify?id=%d&otp=%s
4) comment /etc/ssh/sshd_config ChallengePassword no (so it says yes when you comment is!)
5) restart sshd: /etc/init.d/ssh restart or service sshd restart
6) test !

For OpenVPN with Yubikey and PAM:

1) Follow above steps for the correct yubikey pam module
2) Install OpenVPN with a default server.conf, ca.crt, server.crt etc following the 100 manuals on the net
3) Check if you have the OpenVPN AUTH module installed when you installed OpenVPN aka /usr/lib/openvpn/openvpn-auth-pam.so – if you don’t have this file install the openvpn-pam module
4) add the following to the /etc/openvpn/server.conf:
#
### yubikey auth
#
plugin /usr/lib/openvpn/openvpn-auth-pam.so openvpn #make sure the path is correct and end the line with the pam module name (openvpn – we’ll create this file manually later on)
client-cert-not-required
username-as-common-name
5) create a file /etc/pam.d/openvpn with the following contents:
auth required pam_yubico.so authfile=/etc/yubikeyid id=16 debug
auth required pam_unix.so use_first_pass
# first check the yubikey auth and then a succesful unix PAM auth
6) change the client openvpn config to add the following line: auth-user-pass
7) test!

Yubikey and Squirrelmail:
Read the howto here:

http://wiki.yubico.com/wiki/index.php/Applications:Squirrelmail_Plugin

Don’t forget to install php-curl or similar package as php needs to do a curl
command/post against the Yubico API

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s