User:Mparfeni: Difference between revisions

From ICO wiki
Jump to navigationJump to search
No edit summary
Line 16: Line 16:
* Static passwords
* Static passwords


== Two-factor authentication with SSH ==
== Yubikey as hardware token for GPG ==


This details how to use a Yubikey to have [[wikipedia:Two-factor_authentication|two-factor authentication]] with SSH, that is, to use both a password and a Yubikey-generated OTP.
=== Introduction ===


=== Prerequisites ===
GPG is most often used to encrypt and sign e-mails within software developer communities and cyberpunk circles. You also find that GPG is used to verify packages when you install software on your Ubuntu or Fedora box. GPG keyring can also be used for authenticating SSH connections.


Install yubico-pam.
Yubikey 4 Nano is one of the tiniest OpenPGP compatible hardware tokens on the market. With hardware token the your RSA private keys used by the GPG are not readable in the filesystem as it would usually be under ~/.gnupg directory.


=== Configuration ===
Using GPG to send encrypted/signed e-mail can be done via variety of applications each one coming with a different support level for hardware tokens such as Yubikey:


==== Authorization Mapping Files ====
Encrypting on command line as shown below works perfectly with Yubikey, but is cumbersome to use for newbies.
Evolution has full GPG support built-in on Fedora, supports hardware tokens such as Yubikey for signing and encrypting. Retrieving correspondent's keys and setting trust level still has to be performed on command-line as shown below.
Enigmail is a GPG plugin for Mozilla Thunderbird, supports hardware tokens, good user interface integration - untrusted senders key can easily be signed.
Mailvelope generates keys internally and currently can't make use of hardware token
PIV and PGP modes can't be used simultaneously


A mapping must be made between the YubiKey token ID and the user ID it is
scdaemon which is used by GPG as backend to access smartcards exclusively locks the card even if configured to use PCSC-Lite as backend. Firefox similarily wants to have exclusive access to the token when there are valid certificates present in the PIV applet. This means that currently PGP and PIV modes can't be used simultaneously.
attached to. There are two ways to do this, either centrally in one file, or
individually, where users can create the mapping in their home directories.
If the central authorization mapping file is being used, user home directory
mappings will not be used and vice versa.


===== Central authorization mapping =====
GPG has most often two versions installed: gpg and gpg2


Create a file {{ic|/etc/yubico/authorized_yubikeys}}, the file must contain a user name and the
Following guide focuses on gpg2 only. When gpg command happens to be executed accidentally at wrong time gpg-agent could be started with flags incompatible with gpg2, in that case kill gpg-agent process.
Yubikey token ID separated by colons (same format as the passwd file) for
each user you want to allow onto the system using a Yubikey.


The mappings should look like this, one per line:
=== Setting up Yubikey ===


<first user name>:<Yubikey token ID1>:<Yubikey token ID2>:...
Install GPG v2.x if it hasn't been installed yet:
<second user name>:<Yubikey token ID3>:<Yubikey token ID4>:...


You can specify multiple key tokens to correspond to one user, but only one is required.
apt install gnupg2
First check whether GPG detects your token:


===== Per-user authorization mapping =====
gpg2 --card-status
If you have Estonian ID-card reader hooked up to the computer you might have conflicts with web browsers, so it's a good idea to tell GPG reader name:


Each user creates a {{ic|~/.yubico/authorized_yubikeys}} file inside of their home
cat << \EOF >> ~/.gnupg/scdaemon.conf
directory and places the mapping in that file, the file must have only one
reader-port "Yubico Yubikey 4 CCID"
line:
EOF
Set up Yubikey, this is roughly equivalent to gpg2 --full-gen-key:


  <user name>:<Yubikey token ID1>:<Yubikey token ID2>
  gpg2 --card-edit
admin
generate
Add identities, eg. when you use multiple e-mail addresses or aliases and set the trust level to ultimate for all of your identities:


This is much the same concept as the SSH authorized_keys file.
gpg2 --edit-key first.last@example.com
adduid
trust
Export your public keys and upload it to a HTTP(S) accessible URL:


Note that this file must be readable by the {{ic|pam_yubico}} module when the user is authenticated, otherwise login will fail. If this is not possible or desired, use the global mapping file instead.
  gpg2 --export --armor > filename.asc
 
===== Obtaining the Yubikey token ID (a.k.a. public ID) =====
 
You can obtain the Yubikey token ID in several ways. One is by
removing the last 32 characters of any OTP (One Time Password)
generated with your Yubikey. Another is by using the
[http://demo.yubico.com/php-yubico/Modhex_Calculator.php modhex calculator].
 
Enter your Yubikey OTP and convert it, your Yubikey token ID is 12
characters and listed as:
 
Modhex encoded: XXXXXXX
 
==== PAM configuration ====
 
Having set up the {{ic|pam_yubico}} module, you next need to tell PAM to use it when logging in via SSH. There are several ways of doing this.
 
===== The default way =====
 
Obtain HMAC credentials from Yubico as described in [[#YubiCloud and validation servers]]. You will receive a Client ID and a secret key.
 
Add one of the two following lines to the beginnning of {{ic|/etc/pam.d/sshd}}:
 
auth            required      pam_yubico.so id=CLIENTID authfile=/etc/yubico/authorized_yubikeys
 
if you're using a central authorization mapping file, or
 
auth            required      pam_yubico.so id=CLIENTID
 
if you're using per-user authorization mapping, where {{ic|CLIENTID}}} is your Client ID. This method utilizes your ID and the server's certificate to authenticate the connection.
 
===== Using pure HMAC to authenticate the validation server =====
 
Add {{ic|key}} to the above lines in {{ic|/etc/pam.d/sshd}}:
 
auth            required      pam_yubico.so id=CLIENTID key=SECRETKEY ...
 
where {{ic|CLIENTID}} and {{ic|SECRETKEY}} are your HMAC ID and key.
 
You should also disallow unprivileged users to read the file to prevent them from seeing the HMAC credentials:
# chmod o-r /etc/pam.d/sshd
 
===== Using pure HTTPS to authenticate the validation server =====
 
If you do not want to use HMAC credentials from Yubico, it is still possible to authenticate via the Yubico server by setting {{ic|1=CLIENTID=1}} instead of your own ID. Although {{ic|pam_yubico}}'s default server uses HTTPS already, for security reasons you should specify it manually via the {{ic|urllist}} parameter, as the servers certificate is the only way in which the connection is authenticated. You can find the keyserver URL by adding the {{ic|debug}} parameter to the {{ic|auth}} line.
 
==== SSHD configuration ====
 
You should check that {{ic|/etc/ssh/sshd_config}} contains these lines and that they are not commented. The {{ic|sshd_config}} shipped with openssh has these set correctly by default.
ChallengeResponseAuthentication no
UsePAM yes
 
=== That is it! ===
 
You should not need to restart anything if you did not change the SSHD config file.
 
To log in, at the {{ic|Password:}} prompt of SSH, you have to type your password '''without pressing enter''' and touch the Yubikey's button.
The Yubikey should send a return at the end of the OTP so you do not need to touch the enter key at all.
 
You can display information about the login data generated by {{ic|pam_yubico}} by adding the {{ic|debug}} option to the auth line in{{ic|/etc/pam.d/sshd}}. However, if you're using a central authorization file, you should remove that option once finished testing, as it causes {{ic|pam_yubico}} to display the entire content of the central file to every user who logs in using a Yubikey.
 
=== Explanation ===
 
This works because the prompt is {{ic|pam_yubico.so}}'s one, since this module is before {{ic|pam_unix.so}}, which normally does basic password authentication.
So, you are giving a string that is the concatenation of your password and the OTP to {{ic|pam_yubico.so}}.
Since the OTPs have a fixed length (let us call this size N), it just has to get the last N characters to retrieve the OTP, and it assumes that the other characters at the start are the password.
It tries to validate the OTP, and in case of success, sends the password to the next PAM module. In Archlinux' default PAM stack, the authenticator {{ic|pam_unix.so}} is instructed to try receiving a password from the previous module with {{ic|try_first_pass}}, so it automatically uses the password sent by {{ic|pam_yubico.so}}.

Revision as of 01:42, 6 June 2017

Yubikey

Whats is Yubikey

Yubikey

The YubiKey is a hardware authentication device manufactured by Yubico that supports one-time passwords, public key encryption and authentication, and the Universal 2nd Factor (U2F) protocol developed by the FIDO Alliance (FIDO U2F). It allows users to securely log into their accounts by emitting one-time passwords or using a FIDO-based public/private key pair generated by the device. YubiKey also allows for storing static passwords for use at sites that do not support one-time passwords. Facebook uses YubiKey for employee credentials, and Google supports it for both employees and users. Some password managers support YubiKey.

Yubikey features

Let's take a look at the options a YubiKey provides:

  • Yubico One-Time Password (OTP) The YubiKey generates an encrypted password that can only be used once
  • OATH – HOTP (EVENT)
  • OATH – TOTP (TIME)
  • Challenge and Response (HMAC-SHA1, Yubico OTP)
  • PIV-Compatible Smart Card
  • OpenPGP
  • FIDO U2F
  • Static passwords

Yubikey as hardware token for GPG

Introduction

GPG is most often used to encrypt and sign e-mails within software developer communities and cyberpunk circles. You also find that GPG is used to verify packages when you install software on your Ubuntu or Fedora box. GPG keyring can also be used for authenticating SSH connections.

Yubikey 4 Nano is one of the tiniest OpenPGP compatible hardware tokens on the market. With hardware token the your RSA private keys used by the GPG are not readable in the filesystem as it would usually be under ~/.gnupg directory.

Using GPG to send encrypted/signed e-mail can be done via variety of applications each one coming with a different support level for hardware tokens such as Yubikey:

Encrypting on command line as shown below works perfectly with Yubikey, but is cumbersome to use for newbies. Evolution has full GPG support built-in on Fedora, supports hardware tokens such as Yubikey for signing and encrypting. Retrieving correspondent's keys and setting trust level still has to be performed on command-line as shown below. Enigmail is a GPG plugin for Mozilla Thunderbird, supports hardware tokens, good user interface integration - untrusted senders key can easily be signed. Mailvelope generates keys internally and currently can't make use of hardware token PIV and PGP modes can't be used simultaneously

scdaemon which is used by GPG as backend to access smartcards exclusively locks the card even if configured to use PCSC-Lite as backend. Firefox similarily wants to have exclusive access to the token when there are valid certificates present in the PIV applet. This means that currently PGP and PIV modes can't be used simultaneously.

GPG has most often two versions installed: gpg and gpg2

Following guide focuses on gpg2 only. When gpg command happens to be executed accidentally at wrong time gpg-agent could be started with flags incompatible with gpg2, in that case kill gpg-agent process.

Setting up Yubikey

Install GPG v2.x if it hasn't been installed yet: 

apt install gnupg2

First check whether GPG detects your token: 

gpg2 --card-status

If you have Estonian ID-card reader hooked up to the computer you might have conflicts with web browsers, so it's a good idea to tell GPG reader name: 

cat << \EOF >> ~/.gnupg/scdaemon.conf
reader-port "Yubico Yubikey 4 CCID"
EOF

Set up Yubikey, this is roughly equivalent to gpg2 --full-gen-key: 

gpg2 --card-edit
admin
generate

Add identities, eg. when you use multiple e-mail addresses or aliases and set the trust level to ultimate for all of your identities: 

gpg2 --edit-key first.last@example.com
adduid
trust

Export your public keys and upload it to a HTTP(S) accessible URL: 

gpg2  --export --armor > filename.asc
Retrieved from "https://wiki.itcollege.ee/index.php?title=User:Mparfeni&oldid=123151"