HomeBlogsfab's blog

Yubikey and Login

fab's picture
Thu, 12/09/2010 - 12:16 — fab

The yubikey looks like a usb stick but your are not able to store stuff on that device. It would be neat if there are 8 GB of storage space available on it.

Dec 8 21:51:43 laptop kernel: [91264.910303] usb 5-1: new low speed USB device using uhci_hcd and address 4
Dec 8 21:51:43 laptop kernel: [91265.072176] usb 5-1: New USB device found, Vendor=1050, Product=0010
Dec 8 21:51:43 laptop kernel: [91265.072187] usb 5-1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
Dec 8 21:51:43 laptop kernel: [91265.072196] usb 5-1: Product: Yubico Yubikey II
Dec 8 21:51:43 laptop kernel: [91265.072202] usb 5-1: Manufacturer: Yubico
Dec 8 21:51:43 laptop kernel: [91265.109594] input: Yubico Yubico Yubikey II as /devices/pci0000:00/0000:00:1d.0/usb5/5-1/5-1:1.0/input/input15
Dec 8 21:51:43 laptop kernel: [91265.109777] generic-usb 0003:1050:0010.0006: input,hidraw1: USB HID v1.11 Keyboard [Yubico Yubico Yubikey II] on usb-0000:00:1d.0-1/input0

With every pressing on the button a new string is created which can be used as a one time password. The first 12 characters are the ID of the yubikeys.

dedededggaitjgtuhrlbrkkvbenlktuevrekclcnhleh
dedededggaitdnfnhfjgfltunvcefvhvtvghddciibrr
dedededggaitkgittvcutnieeurnjnhhukeetndklgcb
dedededggaitlhfcnhbfiivjnnhghjcuvjftetfikcjc

To do something useful with your yubikey, use it to login your system as a two-factor authentification.  First pam_yubico is needed.

yum install pam_yubico

The next step is to edit the file /etc/pam.d/gdm-password. After the line

auth substack password-auth

the line below needs to be added that the user password and the OTP is required to login.

auth sufficient pam_yubico.so i d=16 authfile=/etc/yubikey_mappings

In the dokumentation of pam_yubikey are more details available. In the file /etc/yubikey_mappings the mapping of users to yubikeys must be made. Use the ID (12 digits) you get when you press the button or use this web page.

Username:yubikey-ID

Now, after you entered your password at the login prompt (GDM) the system is asking you for the OTP.

The German version of this entry is available at my other blog.