Never Ending Security

It starts all here

Set up Yubikey with PAM for OpenVPN, SSH and Squirrelmail

Yubikey and PAM for SSH:
If you’re using ArmHF or Armel you might experience a bug with the default libpam-yubikey packages:

If you have succesfully build the new package/fix and installed it, then it’s time to continue the setup for SSH:
1) you can create a global config or use a users own yubikey file, I choose the latter: mkdir /home/*username*/.yubico/ and create a file authorized_yubikeys
The context of this file should be:
username:*yubikey first 12 characters*:*next yubikey first 12 characters*
2) get an API key for the yubikey cloud solution to authenticate against:
3) remember the API key and add the following line to /etc/pam.d/sshd:
auth required id=*your API id number* key=*your API key* url=
4) comment /etc/ssh/sshd_config ChallengePassword no (so it says yes when you comment is!)
5) restart sshd: /etc/init.d/ssh restart or service sshd restart
6) test !

For OpenVPN with Yubikey and PAM:

1) Follow above steps for the correct yubikey pam module
2) Install OpenVPN with a default server.conf, ca.crt, server.crt etc following the 100 manuals on the net
3) Check if you have the OpenVPN AUTH module installed when you installed OpenVPN aka /usr/lib/openvpn/ – if you don’t have this file install the openvpn-pam module
4) add the following to the /etc/openvpn/server.conf:
### yubikey auth
plugin /usr/lib/openvpn/ openvpn #make sure the path is correct and end the line with the pam module name (openvpn – we’ll create this file manually later on)
5) create a file /etc/pam.d/openvpn with the following contents:
auth required authfile=/etc/yubikeyid id=16 debug
auth required use_first_pass
# first check the yubikey auth and then a succesful unix PAM auth
6) change the client openvpn config to add the following line: auth-user-pass
7) test!

Yubikey and Squirrelmail:
Read the howto here:

Don’t forget to install php-curl or similar package as php needs to do a curl
command/post against the Yubico API


Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s