Configure 2-factor Yubikey authentication for Debian : the easiest way

Mathieu — Tue, 06 Aug 2013 00:20:00 +0200

One of last five years trending topics is the rise of Token authentication, to provide a safer way to authenticate than the classic login/password couple.

Today I will show you how to configure a 2-factor authentication (login/password + yubikey), in order to use it with your local Unix users as well as with SSH login (PAM powered).

In this tutorial, I will use the Yubico API, because it’s simpler. When using the API, the validity check will be computed by Yubico servers. By the way, you can set up your own authentication server if you don’t want to depend on Yubico servers.

First things first, you have to afford a Yubikey at http://www.yubico.com/
Get your Yubikey ID. You can use the 12 first digit of every Yubikey generated password, but you can also generate it from http://demo.yubico.com/php-yubico/Modhex_Calculator.php
For lazy people, type this in a shell and activate your Yubikey : read -p "Enter a YubiKey OTP: " s && echo 'The key id is' ${s:0:12}
Create a .yubico directory in your home, and create a file named authorized_yubikeys inside it. Fill this file with your unix username and Yubikey ID like that : username:yubikeyid
Next, create a id/secret couple for each server ou service you want to authenticate : https://upgrade.yubico.com/getapikey/
The ID returned after submitting the URL is the service ID, and the secret is the associated secret. Every pair ID/secret is unique.
You could use the same id/secret for every server you configure, but it is not intended for : you should use a different id/secret couple for every different server.
Log in to your server as root, and install libpam-yubico (from apt : apt-get install libpam-yubico).
And configure it : sudo dpkg-reconfigure libpam-yubico. When prompted, set the service ID in place of the N in id=N and the secret in place of the K in key=K.
Then apply the configuration with the command pam-auth-update.

That’s all ! Every PAM-compliant authentication will now ask for the Yubikey code to authenticate (as well as login and password). When login from SSH, juste activate your Yubikey after typing your password, before typing “enter”.

Warning : if you messed up the Yubikey configuration and are using “sudo” before every command, you will be locked outside your server ! After dpkg-reconfigure, if you checked “Yubico authentication”, it will ask for a Yubikey code every time a “sudo” authentication is required, so keep a root terminal opened to revert your changes.

# uname -a - Mot-clé - token

Configure 2-factor Yubikey authentication for Debian : the easiest way