I’ve bought Yubikeys to manage several things. They permit 2 different kinds of authentication per key. The authentication methods are:
Yubico OTP
OATH-HOTP
Static Password
Challenge-Response
The goal was to authenticate through my Yubikey without a password, but still have the possibility to connect with my user password if I lose my key. Another requirement is to lock my computer if I remove the key.
## /etc/pam.d/common-auth - authentication settings common to all services## This file is included from other service-specific PAM config files,# and should contain a list of the authentication modules that define# the central authentication scheme for use on the system# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the# traditional Unix authentication mechanisms.## As of pam 1.0.1-6, this file is managed by pam-auth-update by default.# To take advantage of this, it is recommended that you configure any# local modules either before or after the default block, and use# pam-auth-update to manage selection of other modules. See# pam-auth-update(8) for details.# here are the per-package modules (the "Primary" block)auth sufficient pam_yubico.so mode=challenge-response
auth [success=2default=ignore] pam_unix.so nullok_secure
auth [success=1default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
# here's the fallback if no module succeedsauth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;# this avoids us returning an error just because nothing sets a success code# since the modules above will each just jump aroundauth required pam_permit.so
# and here are more per-package modules (the "Additional" block)auth optional pam_cap.so
# end of pam-auth-update config
and override it to add a custom script (screensaver lock) (/lib/udev/rules.d/69-yubikey.rules):
1
2
3
4
5
6
7
8
9
10
11
12
13
14
ACTION!="add|change", GOTO="yubico_end"# Udev rules for letting the console user access the Yubikey USB# device node, needed for challenge/response to work correctly.# Yubico Yubikey IIATTRS{idVendor}=="1050", ATTRS{idProduct}=="0010|0110|0111|114|116", \
ENV{ID_SECURITY_TOKEN}="1"LABEL="yubico_end"# Launch on removeACTION=="remove", SUBSYSTEM=="usb", ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}=="0010", RUN+="/path/yubi_remove_script.sh"# Launch on insert# ACTION=="add", SUBSYSTEM=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0010", RUN+="/path/yubi_add_script.sh"
You can test if udev sees your key correctly with this command (try to insert and remove it):
1
udevadm monitor --property
Then reload udev rules:
1
2
udevadm control --reload-rules
udevadm trigger
And create the script where you’ve declared it (yubi_script.sh):
## /etc/pam.d/common-auth - authentication settings common to all services## This file is included from other service-specific PAM config files,# and should contain a list of the authentication modules that define# the central authentication scheme for use on the system# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the# traditional Unix authentication mechanisms.## As of pam 1.0.1-6, this file is managed by pam-auth-update by default.# To take advantage of this, it is recommended that you configure any# local modules either before or after the default block, and use# pam-auth-update to manage selection of other modules. See# pam-auth-update(8) for details.# here are the per-package modules (the "Primary" block)auth sufficient pam_yubico.so debug mode=challenge-response
auth [success=2default=ignore] pam_unix.so nullok_secure
auth [success=1default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
# here's the fallback if no module succeedsauth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;# this avoids us returning an error just because nothing sets a success code# since the modules above will each just jump aroundauth required pam_permit.so
# and here are more per-package modules (the "Additional" block)auth optional pam_cap.so
# end of pam-auth-update config