From ccaa679f48a6dd05b398f0de475c6da20a1c72c1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Henrik=20Str=C3=A5th?= Date: Wed, 29 Oct 2014 16:40:16 +0100 Subject: [PATCH] Update Yubikey_and_SSH_via_PAM.adoc --- doc/Yubikey_and_SSH_via_PAM.adoc | 46 ++++++++++++++++---------------- 1 file changed, 23 insertions(+), 23 deletions(-) diff --git a/doc/Yubikey_and_SSH_via_PAM.adoc b/doc/Yubikey_and_SSH_via_PAM.adoc index a3813c5..1f24b69 100644 --- a/doc/Yubikey_and_SSH_via_PAM.adoc +++ b/doc/Yubikey_and_SSH_via_PAM.adoc @@ -64,7 +64,7 @@ this file. However, presently there is no logic coded to detect or prevent use of same Yubikey ID for multiple users. Each record in the file should begin on a new line. The parameters in each -record are separated by “:” character similar to /etc/passwd. +record are separated by `:` character similar to `/etc/passwd`. The contents of this file are as follows: @@ -85,11 +85,11 @@ Yubico PAM module for SSH authentication. ====== Configuration of modified pam_yubico.so module at administrative level ====== -Append the following line to the beginning of /etc/pam.d/sshd file: +Append the following line to the beginning of the `/etc/pam.d/sshd` file: auth required pam_yubico.so id=16 debug authfile=/path/to/mapping/file -Make sure you set id=16 to the correct API-id for the yubico validation server. +Make sure you set `id=16` to the correct API-id for the yubico validation server. After the above configuration changes, whenever a user connects to the server using any ssh client, the PAM authentication interface will pass the control to @@ -108,13 +108,13 @@ authentication server, a success code is returned. In User level, individual users have the ability to configure yubikey token ID assigned to them. Users can achieve this by creating a new file -".yubico/authorized_yubikeys" inside their home directories that contains +`.yubico/authorized_yubikeys` inside their home directories that contains information about the username and the corresponding IDs of Yubikey(s) assigned to them. A user can be assigned multiple Yubikeys and the multi key mapping is supported by this file. This file must contain only one record. The parameters in the record are -separated by “:” character similar to /etc/passwd. The contents of this file +separated by `:` character similar to `/etc/passwd`. The contents of this file are as shown below: ::: …. @@ -124,21 +124,21 @@ e.g. paul:indvnvlcbdre:ldvglinuddek -The .yubico/authorized_yubikeys file must be created/updated manually and must +The `.yubico/authorized_yubikeys` file must be created/updated manually and must be placed inside user's home directory before configuration of Yubico PAM module for SSH authentication. ====== Configuration of modified pam_yubico.so module at user level ====== -Append the following line to the beginning of /etc/pam.d/sshd file: +Append the following line to the beginning of the `/etc/pam.d/sshd` file: auth required pam_yubico.so id=16 debug After the above configuration changes, whenever a user connects to the server using any SSH client, the PAM authentication interface will pass the control to Yubico PAM module. The Yubico PAM module first verifies the username with -corresponding Yubikey token id as configured in the .yubico/authorized_yubikeys +corresponding Yubikey token id as configured in the `.yubico/authorized_yubikeys` file that present in the user's home directory who is trying to assess server through SSH. If valid, the Yubico PAM module extracts the OTP string and sends it to the Yubico authentication server or else it reports failure. After @@ -168,27 +168,27 @@ response passwords. Change `challenge-response passwords yes` to Test setup for fedora 8 environment is as follows: -* OS Version: Fedora release 8 (Werewolf) -* Kernel Version: Kernel version 2.6.23.1-42.fc8 -* OpenSSH Version : openssh-4.7p1-2.fc8 -* Yubico PAM Version: pam_yubico-1.7 +OS Version:: Fedora release 8 (Werewolf) +Kernel Version:: Kernel version 2.6.23.1-42.fc8 +OpenSSH Version:: openssh-4.7p1-2.fc8 +Yubico PAM Version:: pam_yubico-1.7 ==== Fedora 6 ==== Test setup for fedora 6 environment is as follows: -* OS Version: Fedora Core release 6 (Zod) -* Kernel Version: Kernel version 2.6.18-1.2798.fc6 -* OpenSSH Version : openssh-4.3p2-10 -* Yubico PAM Version: pam_yubico-1.7 +OS Version:: Fedora Core release 6 (Zod) +Kernel Version:: Kernel version 2.6.18-1.2798.fc6 +OpenSSH Version:: openssh-4.3p2-10 +Yubico PAM Version:: pam_yubico-1.7 ==== PAM configuration ==== PAM configuration files in our testing environment are as follows: -* /etc/pam.d/sshd: +===== /etc/pam.d/sshd ===== ------- auth required pam_yubico.so authfile=/etc/yubikeyid id=16 debug auth include system-auth @@ -201,17 +201,17 @@ session required pam_loginuid.so ------- -* /etc/yubikeyid: +===== /etc/yubikeyid ===== ------- - root:indvnvlcbdre:ldvglinuddek - test:ldvglinuddek +root:indvnvlcbdre:ldvglinuddek +test:ldvglinuddek ------- -* /root/.yubico/authorized_yubikeys: +===== /root/.yubico/authorized_yubikeys ===== ------- - root:indvnvlcbdre:ldvglinuddek +root:indvnvlcbdre:ldvglinuddek ------- Please change PAM configuration settings for SSH as shown above and test the @@ -221,7 +221,7 @@ configuration. === Testing the Configuration === We assume that you have 'root' and 'test' user configured to access SSH on your -test environment with password “secret” and “pencil” respectively. +test environment with password 'secret' and 'pencil' respectively. Use any standard SSH client for testing (We used SSH command line utility).