All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Script - Single-Factor (Hybrid) authentication with PAM and a Yubikey
Hey guys,
So at work we are given these awesome devices called "YubiKeys", which generate OTPs which can be verified against a FreeRADIUS server, their servers as well as many online services and even your computer logon. They're only $25 (+$5 shipping to most of the world) too, which is a steal!
One of the great things is that they have already coded a libPAM module for it, all you need to do is ensure you are running a newer version of Ubuntu or Debian to install and use it.
This script enables single-factor authentication with either your YubiKey or your password (pressing enter when logging in without your YubiKey skips to normal password authentication).
You will need your API ID and key, which can be obtained from here and your device's unique token ID, which can be obtained by running this in a terminal:
read -p "Press the gold circle on your YubiKey: " s && echo 'The key id is' ${s:0:12}
Just replace the ENTER_YOUR_* with the required information, and all should work 
yubi_auth.sh
# Yubikey authentication script
echo "Installing Yubikey Authentication System."
# Install the Yubikey package
apt-get -y install libpam-yubico
# Add to the beginning of /etc/pam.d/sshd
sed -i "1s/^/auth sufficient pam_yubico.so id=ENTER_YOUR_ID_HERE key=''ENTER_YOUR_KEY_HERE" authfile=\/etc\/yubikey_mappings debug\n/" /etc/pam.d/sshd
sed -i '1s/^/# Yubikey Security\n/' /etc/pam.d/sshd
# Create and place this line into /etc/yubikey_mappings
echo "root:ENTER_YOUR_TOKEN_ID_HERE" > /etc/yubikey_mappings
# Changing the following in /etc/ssh/sshd_config
# ChallengeResponseAuthentication yes
# PasswordAuthentication yes
# UsePAM yes
file=/etc/ssh/sshd_config
cp -p $file $file.old &&
awk '
$1=="PasswordAuthentication" {$2="yes"}
$1=="ChallengeResponseAuthentication" {$2="yes"}
$1=="UsePAM" {$2="yes"}
{print}
' $file.old > $file
# Restart SSH
service ssh restart
echo "Yubikey Authentication System - Installed."
Yes, I know the script is crappy (made it in a minute), but it works for me. Also ensure that if your API key has "/" in it, use a \ in front to stop the script failing. If you have any questions, feel free to ask!
Comments
This look awesome! While hard tokens are awesome, I'm fine with time based codes. Could this be altered to require both btw?
Thanks for taking the time to post this...
Easy! I think you just change sufficient to required in the part that alters /etc/pam.d/sshd
I think you mean that you want to have both password and Yubikey auth. Not sure what you mean by hard tokens.
I presume he mean's -
Time Based Tokens - Authy, Google Authenticator, SMS Codes etc...
Hard Tokens - YubiKey
Ah. Well the Yubikey actually generates a OTP, so it is a Time based token.
Yubikey is counter based, not time based. It is still OTP, but not time based (e.g. like Google Authenticator).
Yep, you're right
Getting this error in Ubuntu 12.04 @Oxdragon can you help?