YubiKey on Debian HowTo

658 views
Skip to first unread message

timm

unread,
Oct 13, 2008, 3:14:57 AM10/13/08
to yubico-devel
install standard server install of Debian lenny

apt-get update
apt-get upgrade
apt-get install build-essential autoconf automake libtool libpam-dev
subversion libcurl4-gnutls-dev ntp ntpdate

mkdir yubikey
cd yubikey

wget http://yubico-c.googlecode.com/files/libyubikey-1.1.tar.gz
tar zxvf libyubikey-1.1.tar.gz
cd libyubikey-1.1
./configure
make
make check
make install

cd ..

wget http://yubico-c-client.googlecode.com/files/libyubikey-client-1.4.tar.gz
tar zxvf libyubikey-client-1.4.tar.gz
cd libyubikey-client-1.4
autoreconf -fvi
./configure
make check
make install

cd ..

svn checkout http://yubico-pam.googlecode.com/svn/trunk/ yubico-pam-
svn
cd yubico-pam-svn
autoreconf --install
./configure
make clean
make check install

OR

tar zxvf pam_yubico-1.8.tar.gz
cd pam_yubico-1.8
./configure
make check install

I chose the SVN route

cd ..

pico /etc/pam.d/sshd (This is my whole file)

# PAM configuration for the Secure Shell service

## YubiKey Config
# Administrative Level
auth required pam_yubico.so authfile=/etc/yubikeyid id=16 debug
#OR
# User Level
# auth required pam_yubico.so id=16 debug

# Read environment variables from /etc/environment and
# /etc/security/pam_env.conf.
auth required pam_env.so # [1]
# In Debian 4.0 (etch), locale-related environment variables were
moved to
# /etc/default/locale, so read that as well.
auth required pam_env.so envfile=/etc/default/locale

# Standard Un*x authentication.
@include common-auth

# Disallow non-root logins when /etc/nologin exists.
account required pam_nologin.so

# Uncomment and edit /etc/security/access.conf if you need to set
complex
# access limits that are hard to express in sshd_config.
# account required pam_access.so

# Standard Un*x authorization.
@include common-account

# Standard Un*x session setup and teardown.
@include common-session

# Print the message of the day upon successful login.
session optional pam_motd.so # [1]

# Print the status of the user's mailbox upon successful login.
session optional pam_mail.so standard noenv # [1]

# Set up user limits from /etc/security/limits.conf.
session required pam_limits.so

# Set up SELinux capabilities (need modified pam)
# session required pam_selinux.so multiple

# Standard Un*x password updating.
@include common-password

pico /etc/ssh/sshd_config (Change settings as follows)

ChallengeResponseAuthentication no
UsePAM yes
Not required but good practice
PermitRootLogin? No

pico /etc/yubikeyid
timm:nktcdenuukhc:hgfujcchbnjg
pico /home/timm/.yubico/authorized_yubikeys
timm:nktcdenuukhc:hgfujcchbnjg

pico /etc/pam.d/common-auth (Change settings as follows)

auth required pam_unix.so try_first_pass nullok_secure debug


cp /usr/local/lib/security/pam_yubico.so /lib/security/pam_yubico.so

I rebooted to be sure that everything loaded but this is probably over
kill

I used putty to ssh to my Yubikey test box

Password: (enter 'password' and touch the hgfujcchbnjg yubikey)

Hope this is of some use as I know the HowTo on the wiki is more
tailored to Fedora

This is tested and works for both the User and Administrative Level of
authentication.

Thank you

Tim

Simon Josefsson

unread,
Oct 13, 2008, 6:38:13 AM10/13/08
to yubico...@googlegroups.com
Hi! Thanks for this, as a Debian user I'll benefit from it.

Maybe you could cut'n'paste the howto into a (for example)
DebianYubiKeyAndSSHViaPam wiki page on the yubico-pam code.google.com
wiki? Then everyone can improve on it when things evolve.

Are you a debian developer by any chance? It would be nice to get these
projects packaged for debian proper. I have worked with debian
packaging before, so I know how to do it, but I'm short on time and
cannot upload to debian.org anyway since I'm not a DD.

/Simon

Tim Massey

unread,
Oct 13, 2008, 12:01:27 PM10/13/08
to yubico...@googlegroups.com
Simon

The Wiki thing is exactly what I was going to do first but I can't add wiki
pages or if I can its very well hidden.

I am not a debian developer but I could have a look at making a package I
can't make promises on time frame but I can have a look at it.

Tim

---

Tim Massey, Technical Services
The t.e.m. Service Company Ltd

2 Cannon Heath Farm Cottage
Cannon Heath
Overton
Basingstoke
Hampshire
RG25 3EJ

Email: t...@temsc.co.uk, UK Tel: 0845 890 0211 USA Tel: 213 232 4114

Instant Messaging Screenames
Skype: timm_tem MSN: t...@temservicecompany.co.uk

Company Number: 4635329, VAT Number: 811 8592 26

This email is confidential and may also be privileged. If you are not the
intended recipient, please notify the sender immediately. You should not
copy the email or use it for any purpose or disclose its contents to any
other person.
Any statements made, or intentions expressed in this communication may not
necessarily reflect the view of the Company. Be advised that no content
herein may be held binding upon the Company or any associated company unless
confirmed by the issuance of a formal contractual document.

/Simon

timm <t...@temsc.co.uk> writes:

No virus found in this incoming message.
Checked by AVG - http://www.avg.com
Version: 8.0.173 / Virus Database: 270.8.0/1721 - Release Date: 12/10/2008
12:00

No virus found in this outgoing message.
Checked by AVG - http://www.avg.com
Version: 8.0.173 / Virus Database: 270.8.0/1721 - Release Date: 12/10/2008
12:00

Reply all
Reply to author
Forward
0 new messages