A few weeks ago I covered how to integrate the YubiRadius Virtual Appliance into FreeIPA which you can find here, or Microsoft Active Directory which you can find here.
This article is a really quick walk though on how to take your authentication one step further, and add 2 factor authentication into the same process for your Red Hat Enterprise Linux server estate.
The purpose of the Yubikey is to allow you to authenticate your systems with a “One Time Password” or what is commonly referred to as an “OTP”.
In this article, I will be adding Yubikey 2 factor authentication to an existing Red Hat Enterprise Linux 6.3 system which is already using FreeIPA. The process is identical, should you wish to use this for systems authenticating to Microsoft Active Directory as well.
Step 1. Lets start by installing the necessary packages.
Please note, you will need to have access to the EPEL repository. If you are using Fedora, the packages will already be available for you to install.
[root@server ~]# yum install -y pam_yubico
Step 2. Create a file index of the key(s)
For consistency with other “System” based configurations in Red Hat based Linux distributions. I place mine in /etc/sysconfig
In this file, we need to use the Yubikey ID of each token. The key ID is the first 12 characters of the one time password.
For example, here is a one time password, cccccccfgfhgjneetndbnbujhduuvblrjljrjjtlhueg
If I take the firt 12 characters of the above output, my key ID is cccccccfgfhg
We need to use this key ID and place it next to each username we wish to allow yubikey authentication with.
For example
username: cccccccfgfhg
dale: ccccccbgbrcr
If you wish to allow multiple keys per user, simply separate them with a : (colon)
For example
username: cccccccfgfhg:ccccccbgbrcr
dale: ccccccbgbrcr
Now, lets create our key file
[root@server ~]# vi /etc/sysconfig/yubikey username: cccccccfgfhg dale: ccccccbgbrcr
Step 3. Add the yubico PAM module to your local PAM configuration.
Here you have a few options. I use full system wide authentication which I will configure in /etc/pam.d/system-auth however you have the option of only adding Yubikey authentication to any number of services, should you chose not to add it to your entire system. E.g, you would configure SSH with /etc/pam.d/sshd
Add the below line to /etc/pam.d/system-auth to integrate system wide authentication.
auth required pam_yubico.so id=1 authfile=/etc/sysconfig/yubikey
If you have your own internal Yubikey Validation server, you can specify your own server with the “url” option
auth required pam_yubico.so id=1 authfile=/etc/sysconfig/yubikey url=https://yubico-val.example.com/wsapi/verify?id=%d&otp=%s
If you do not specify a url, the default configuration is to validate against the Yubico YubiCloud authentication platform.
Here is my system-auth file, if you would like to compare
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth required pam_yubico.so id=1 authfile=/etc/sysconfig/yubikey auth sufficient pam_fprintd.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_oddjob_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so
Step 4. Test your configuration
If everything is working fine, you should see a new message asking for your Yubikey OTP authentication as well as your password.
E.g
[dale@server ~]$ su -l root Yubikey for `root': Password: [root@server ~]#
Feel free to contact me or leave comments should you need any assistance.
Hi,
I tried goes through your step by step guide, but unfortunately it does not work for me. while I tired to switch user it asking for yubi key, after putting the right key and password its return password incorrect message.
[nayeem@localhost ~]$ cat /etc/sysconfig/yubikey
nayeem: cccccccccccc
[nayeem@localhost ~]$
[nayeem@localhost ~]$ su – nayeem
Yubikey for `nayeem’:
Password:
su: incorrect password
[nayeem@localhost ~]$
And didn’t find any incoming login request at /var/log/secure.
any idea ?