Hacker News new | ask | show | jobs
by mihaigalos 913 days ago
I'm using a Yubikey for both sudo and ssh 2FA:

# /etc/pam.d/sudo

    auth      optional  pam_faildelay.so delay=5000000
    auth      [success=1 default=ignore] pam_yubico.so authfile=/home/user/auth_file id=16 
    session   required  pam_env.so readenv=1 user_readenv=0
    session   required  pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0
    @include  common-auth
    @include  common-account
    @include  common-session-noninteractive
# /etc/pam.d/sshd

    auth     optional   pam_faildelay.so delay=5000000
    auth     requisite  pam_yubico.so authfile=/home/user/auth_file id=16 debug
    account  include    base-account
    auth     required   pam_env.so
    auth     required   pam_nologin.so successok
1 comments
mihaigalos 913 days ago
Sidenote: This requires internet access. I'm considering selfhosting a Yubikey auth server and disabling ssh on it.
link
Thorrez 913 days ago
Why does it require internet access? If you use a private key stored on your yubikey and a public key stored in your ssh configs, that shouldn't require internet access.
link
mihaigalos 912 days ago
Because there is a Yubico server involved in the auth process. No internet access means you cannot authenticate.
link
Thorrez 912 days ago
Why is there a Yubico server involved? Why can't it use public and private keys? What does the Yubico server do?

Hopefully this isn't using Yubico OTP, which is phishable:

https://developers.yubico.com/OTP/

link
jasomill 912 days ago
Two offline alternatives come immediately to mind.

1. Reconfigure pam_yubico to use local challenge-response auth instead of YubiCloud. The ykpamcfg(1) man page[1] explains how to do so.

2. Use pam_u2f to enable FIDO2/U2F auth. See, e.g.,

https://support.yubico.com/hc/en-us/articles/360016649099-Ub...

https://docs.fedoraproject.org/en-US/quick-docs/using-yubike...

Though on Fedora (and RHEL), I personally prefer authselect to hand-editing /etc/pam.d; in particular, authselect's "sssd" default profile includes optional U2F support:

    $ authselect show sssd | fgrep -C 2 u2f | sed -ne '/u2f/,$p'
    with-pam-u2f::
        Enable authentication via u2f dongle through *pam_u2f*.
    
    with-pam-u2f-2fa::
        Enable 2nd factor authentication via u2f dongle through *pam_u2f*.
    
    without-pam-u2f-nouserok::
        Module argument nouserok is omitted if also with-pam-u2f-2fa is used.
        *WARNING*: Omitting nouserok argument means that users without pam-u2f
        authentication configured will not be able to log in *INCLUDING* root.
        Make sure you are able to log in before losing root privileges.
[1] https://raw.githubusercontent.com/Yubico/yubico-pam/5719a2f8...
link
mihaigalos 912 days ago
This is awesome, thanks. But would still like to keep the auth server separate to minimize the attack surface something like the now deprecated [1].

[1] https://github.com/scumjr/yubikeyedup

link