Never Ending Security

It starts all here

Tag Archives: YubiKey

Replacing Google Authenticator with Yubikey on OS X

YubiKey LDAP – schema and tools for YubiKey LDAP support

What the Yubikey NEO all can do!?


The YubiKey NEO is a unique One-Time Authentication device which combines the functionality of a YubiKey Hardware Authentication device with the extended capabilities of a smart card, without requiring additional drivers or software.

The YubiKey NEO has 3 major elements – the first is the YubiKey element, which allows the YubiKey to be used as a configurable hardware authentication device, capable of hold 2 independent configurations. Each configuration can be set to generate codes using the Yubico OTP, OATH-HOTP, a challenge-response configuration or a simple static password. All of the validation sever software used to support the YubiKey modes is also open source. In fact, a number of password managers have already integrated the YubiKey into their offerings – http://www.yubico.com/applications/password-management/consumer

One of your use cases is the requirement to log into your Linux desktop. This can be simply done using the YubiKey and the Yubico – PAM module (https://developers.yubico.com/yubico-pam). The same Module can also be used to secure your SSH with second factor authentication as well (http://hak5.org/episodes/hak5-1114).

The second element of the YubiKey NEO is the secure element on the NEO which allows for smart card based functionality, including using the YubiKey NEO as a PIV compliant smart card for holding certificates (https://developers.yubico.com/yubico-piv-tool/doc/YubiKey-NEO-PIV-Introduction.html). Further, the YubiKey NEO has an OpenPGP applet, used to securely hold your private keys on the YubiKey itself, preventing them from being expose should your system become compromised (http://www.yubico.com/2012/12/yubikey-neo-openpgp).

Finally, the YubiKey NEO is the first device to support the revolutionary new protocol, U2F (https://fidoalliance.org/adoption/video/yubico-fido-alliance-universal-2nd-factor-u2f-demonstration). This next generation authentication protocol looks to provide the security of a smart-card based solution with the ease of integration and support of a traditional hardware authentication token system.

How To config a YubiKey NEO as an OpenPGP smartcard and use as an OpenSSH authentication token


This is a HOWTO for configuring a YubiKey NEO as an OpenPGP smartcard and use as an OpenSSH authentication token. The instructions are written for OS X, but should be nearly identical for Linux and *BSDs. The only dependencies are the YubiKey command-line utilities and GnuPG with native CCID support. If installing GnuPG from source, you’ll also need libusb.

Complete HowTo can be found on:
http://25thandclement.com/~william/YubiKey_NEO.html

Two-factor authentication on OS X, with a Yubikey


Setting up your YubiKey:

Install the “YubiKey Personalization Tool”

Set a challenge-response (HMAC-SHA1) on the second slot of your YubiKey

– Select Configuration Slot 2
– Select Variable input for HMAC-SHA1 Mode
– Click Generate to generate a new Secret Key (20 bytes Hex)
– Click Write Configuration

Your YubiKey is now ready.

Prepare your Mac to use your YubiKey:

Open a new terminal session as user and install the YubiKey pam module (with brew):
terminal (user)
$ brew install pam_yubico
$ sudo cp /usr/local/Cellar/pam_yubico/2.16/lib/security/pam_yubico.so /usr/lib/pam/pam_yubico.so

Generate a challenge in the user homedir:
terminal (user)
$ mkdir ~/.yubico
$ ykpamcfg -2

A new challenge will be written in the directory ~/.yubico/
Change the authentication process for screensaver

It is advisable to start with requiring a YubiKey for screensaver login and verify your changes before continuing with other authentication modules. This case, if an error occurs, you can still login using the normal login screen.

From the root terminal, add the line auth required pam_yubico.so mode=challenge-response to the following file: /etc/pam.d/screensaver

Open a terminal session as root.
$ sudo su
Edit the file:
terminal (root)
$ vi /etc/pam.d/screensaver
Add the line:
auth required pam_yubico.so mode=challenge-response
Do the same for the file: /etc/pam.d/authorization
$ vi /etc/pam.d/authorization
Add the line:
auth required pam_yubico.so mode=challenge-response

Verify the authentication process:

Set your OSX to require a password on screen saver
Detach the YubiKey and enable screensaver
Enter your username/password, access should be blocked.
Now insert your YubiKey and login, access should be granted.

If these steps succeed, you can finish the changes to the authentication process

P.S. If login still fails, click Switch User and retry logging in. A different authentication module is used during this login.

Set up Yubikey with PAM for OpenVPN, SSH and Squirrelmail


Yubikey and PAM for SSH:
If you’re using ArmHF or Armel you might experience a bug with the default libpam-yubikey packages:
See: https://bugs.launchpad.net/raspbian/+bug/1039577

If you have succesfully build the new package/fix and installed it, then it’s time to continue the setup for SSH:
1) you can create a global config or use a users own yubikey file, I choose the latter: mkdir /home/*username*/.yubico/ and create a file authorized_yubikeys
The context of this file should be:
username:*yubikey first 12 characters*:*next yubikey first 12 characters*
2) get an API key for the yubikey cloud solution to authenticate against: https://upgrade.yubico.com/getapikey/
3) remember the API key and add the following line to /etc/pam.d/sshd:
auth required pam_yubico.so id=*your API id number* key=*your API key* url=http://api.yubico.com/wsapi/2.0/verify?id=%d&otp=%s
4) comment /etc/ssh/sshd_config ChallengePassword no (so it says yes when you comment is!)
5) restart sshd: /etc/init.d/ssh restart or service sshd restart
6) test !

For OpenVPN with Yubikey and PAM:

1) Follow above steps for the correct yubikey pam module
2) Install OpenVPN with a default server.conf, ca.crt, server.crt etc following the 100 manuals on the net
3) Check if you have the OpenVPN AUTH module installed when you installed OpenVPN aka /usr/lib/openvpn/openvpn-auth-pam.so – if you don’t have this file install the openvpn-pam module
4) add the following to the /etc/openvpn/server.conf:
#
### yubikey auth
#
plugin /usr/lib/openvpn/openvpn-auth-pam.so openvpn #make sure the path is correct and end the line with the pam module name (openvpn – we’ll create this file manually later on)
client-cert-not-required
username-as-common-name
5) create a file /etc/pam.d/openvpn with the following contents:
auth required pam_yubico.so authfile=/etc/yubikeyid id=16 debug
auth required pam_unix.so use_first_pass
# first check the yubikey auth and then a succesful unix PAM auth
6) change the client openvpn config to add the following line: auth-user-pass
7) test!

Yubikey and Squirrelmail:
Read the howto here:

http://wiki.yubico.com/wiki/index.php/Applications:Squirrelmail_Plugin

Don’t forget to install php-curl or similar package as php needs to do a curl
command/post against the Yubico API