Decided to play around with multifactor authentication setups.
A friend of mine suggested I try out the yubi keys and a central auth system. I went ahead and sprung for the yubi neo which is an nfc-enabled yubi key vs just the standard usb key. Thought it would be more interesting in the future but I really only needed the usb key.
My main interest was to set up stronger auth for my home network. Not because I need it but because I can ;)
Simple requirements:
- multi factor passwords
- allow me to use local validation ( say laptop without net access yet )
- simple to set up/use
- additionally use for my vpn ( openvpn most likely )
So far I have set up basic authentication on a VM. Simple pam auth using the yubi cloud auth servers. I'm not convinced it set up 100% the way I want it as you can bypass the authentication via ssh if you use ssh key auth. But, that does seem interesting - can have both.
The setup docs on https://github.com/Yubico/yubico-pam/wiki/YubikeyAndSSHViaPAM got me about 90% of the way there. The setup doc is short a few things.
- You need to get an api key, https://upgrade.yubico.com/getapikey/
- The response contains the id and an api key pair which you need to configure in your pam config. Here is my pam config
auth required pam_yubico.so id=key=" " mode="client" authfile=/etc/yubikey_mappings - They tell you to set ChallengeResponseAuthentication to no but you actually want yes
Once I got everything configured, logging in and using sudo all prompt for my yubi password ( your standard password + hit the button on the card ) for access.
$ ssh 172.16.189.140
Yubikey for `bilsch':
Welcome to Ubuntu 12.04.2 LTS (GNU/Linux 3.2.0-23-generic x86_64)
bilsch@yubi:~$ sudo bash -o vi
Yubikey for `bilsch':
root@yubi:~#
Still want to verify this is set up right. I still like the idea of having ssh key auth but for certain special boxes/host types this seems a pretty great setup so far.
