[Cialug] two factor ssh auth

[Tom Pohl]

I know a little bit about pam_yubico. When I implemented it a few years ago, I had to hack the code pretty hard to get it to function correctly.  I'd imagine that it is much more polished now.

We implemented it with LDAP lookup for the key identifier to ensure that the yubikey matches the user that logs in. 

I also have it hit my own variation of their web application server for verification without using their servers which involves reprogramming the keys to have a new AES key that only my service knows.  

To re-program the key, I figured out how to re-program the yubikey from the web by utilizing their activex control in Internet Exploder.

There is also another mode to the key where you have have it spit out a long static password instead of the OTP mode.

-Tom



On Sep 21, 2011, at 3:20 PM, Barry Von Ahsen wrote:

> On 9/21/2011 3:17 PM, Barry Von Ahsen wrote:
>> On 9/21/2011 2:48 PM, Don Ellis wrote:
>>> On Tue, Sep 20, 2011 at 12:50 PM, Barry Von Ahsen<barry at vonahsen.com>
>>> wrote:
>>>> is anyone doing two factor ssh auth? I started looking at ssh key + pass
>>>> and found monkeysphere[1], I also found wikid[2], freeradius and
>>>> duo_unix[3].
>>>> 
>>>> any suggestions or gotchas? free or low cost is best. also,
>>>> unfortunately,
>>>> end users are all windows based
>>>> 
>>>> 
>>>> -barry
>>>> 
>>>> [1] http://web.monkeysphere.info/why/#index2h2
>>>> [2] http://www.wikidsystems.com/
>>>> [3]
>>>> http://blog.duosecurity.com/2011/04/announcing-duos-two-factor-authentication-for-unix/
>>>> 
>>> 
>>> One of my LUG buddies here in St Louis (MO) really likes YubiKey with
>>> LastPass. Physical token is really inexpensive and simple.
>> 
>> nice, that looks awesome
> 
> even better, EPEL has pam_yubico packaged for RHEL/centos
> 
> -barry
> 
> 
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> http://cialug.org/mailman/listinfo/cialug