Adding Yubikey 2 factor authentication to your Red Hat Enterprise Linux estate

A few weeks ago I covered how to integrate the YubiRadius Virtual Appliance into FreeIPA which you can find here, or Microsoft Active Directory which you can find here.

This article is a really quick walk though on how to take your authentication one step further, and add 2 factor authentication into the same process for your Red Hat Enterprise Linux server estate.

The purpose of the Yubikey is to allow you to authenticate your systems with a “One Time Password” or what is commonly referred to as an “OTP”.

In this article, I will be adding Yubikey 2 factor authentication to an existing Red Hat Enterprise Linux 6.3 system which is already using FreeIPA. The process is identical, should you wish to use this for systems authenticating to Microsoft Active Directory as well.


Step 1. Lets start by installing the necessary packages.

Please note, you will need to have access to the EPEL repository. If you are using Fedora, the packages will already be available for you to install.

[root@server ~]# yum install -y pam_yubico

 

Step 2. Create a file index of the key(s)
For consistency with other “System” based configurations in Red Hat based Linux distributions. I place mine in  /etc/sysconfig

In this file, we need to use the Yubikey ID of each token. The key ID is the first 12 characters of the one time password.

For example, here is a one time password, cccccccfgfhgjneetndbnbujhduuvblrjljrjjtlhueg

If I take the firt 12 characters of the above output, my key ID is  cccccccfgfhg

We need to use this key ID and place it next to each username we wish to allow yubikey authentication with.
For example
username: cccccccfgfhg
dale: ccccccbgbrcr

If you wish to allow multiple keys per user, simply separate them with a : (colon)

For example

username: cccccccfgfhg:ccccccbgbrcr
dale: ccccccbgbrcr

Now, lets create our key file

[root@server ~]# vi /etc/sysconfig/yubikey
username: cccccccfgfhg
dale: ccccccbgbrcr

 

Step 3. Add the yubico PAM module to your local PAM configuration.
Here you have a few options. I use full system wide authentication which I will configure in /etc/pam.d/system-auth however you have the option of only adding Yubikey authentication to any number of services, should you chose not to add it to your entire system. E.g, you would configure SSH with /etc/pam.d/sshd

Add the below line to /etc/pam.d/system-auth to integrate system wide authentication.

auth        required    pam_yubico.so id=1 authfile=/etc/sysconfig/yubikey

If you have your own internal Yubikey Validation server, you can specify your own server with the “url” option

auth        required    pam_yubico.so id=1 authfile=/etc/sysconfig/yubikey url=https://yubico-val.example.com/wsapi/verify?id=%d&otp=%s

If you do not specify a url, the default configuration is to validate against the Yubico YubiCloud authentication platform.

Here is my system-auth file, if you would like to compare

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_yubico.so id=1 authfile=/etc/sysconfig/yubikey
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_oddjob_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so

 

Step 4. Test your configuration
If everything is working fine, you should see a new message asking for your Yubikey OTP authentication as well as your password.

E.g

[dale@server ~]$ su -l root
Yubikey for `root':
Password:
[root@server ~]#

Feel free to contact me or leave comments should you need any assistance.

One comment on “Adding Yubikey 2 factor authentication to your Red Hat Enterprise Linux estate

  1. nayeem April 2, 2014 07:31

    Hi,

    I tried goes through your step by step guide, but unfortunately it does not work for me. while I tired to switch user it asking for yubi key, after putting the right key and password its return password incorrect message.
    [nayeem@localhost ~]$ cat /etc/sysconfig/yubikey
    nayeem: cccccccccccc
    [nayeem@localhost ~]$
    [nayeem@localhost ~]$ su – nayeem
    Yubikey for `nayeem’:
    Password:
    su: incorrect password
    [nayeem@localhost ~]$

    And didn’t find any incoming login request at /var/log/secure.

    any idea ?

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>