Configure an Ubuntu client for using YubiKey Two-Factor Authentication

Install the Yubico PAM Libraries

This is a fairly straight forward set of commands for loading the libpam-yubico package from Yubico onto the client system. The commands are run by root at the command prompt.

1. #> add-apt-repository ppa:yubico/stable
2. #> apt-get update
3. #> apt-get -y install libpam-yubico

Install Certificate From YubiKey Certificate Authority (CA)

It is possible to access a validation server by just using http but this is not so secure. To use https instead, the client system must have a certificate from a trusted certificate authority (CA) installed into its local ca-certificates cache. CSCF uses a locally generated CA for this purpose (see CreateCertAuth) for added security. As we must modify the client anyways, adding a trusted certificate is just part of the configuration process. The certificate generated by CSCF's "intermediate CA" is normally a .crt file which is copied to the file system of the client computer.. This certificate file is placed at /usr/share/ca-certificates/CSCF/<the_certificate_file_from_the_cscf_ca.crt>. As root user, execute the following steps.

1. Copy .crt file from CA to /usr/share/ca-certificates/CSCF/<the_certificate_file_from_the_cscf_ca.crt> on client system.
   • If the CSCF sub-directory is not present then add it.
2. Update the /etc/ca-certificates.conf on the client system with the path of the new certificate file.
   • Add the line CSCF/<the_certificate_file_from_the_cscf_ca.crt> to the /etc/ca-certificates.conf file
3. Run the command update-ca-certificates at a command prompt.

Update (sudo) PAM Stack To Include YubiKey Validation

In all cases thus far, it is the sudo PAM stack (/etc/pam.d/sudo) that implements two-factor authentication in CSCF. This is the stack which manages authentication of the sudo command for becoming local root user. It should be pointed out that whether or not a user has a CSCF configured YubiKey, that user must still be authorized to use the sudo command through the local /etc/sudoers file.

Below is an example of such a PAM stack. It is configured such that local users do not need to utilize a YubiKey to become root user. For all CSCF systems, there is only one such local account which may use sudo. This is implemented so that any system may still be administered even when YubiKey validation services are not available. All other users, listed in our Directory Services, must use a YubiKey as part of their sudo authentication to become root.

Directory Services users (from CSCF) must supply their login (kerberos or domain) password followed by an OTP from their personal YubiKey. The pam_yubico.so module is capable of parsing out the user's login password from the OTP and forward it to the next PAM module in the stack for authentication - in this case pam_krb5.so for kerberos authentication. The OTP itself is sent to one of the listed validation servers. Both the kerberos authentication and the OTP validation must be successful for sudo authentication to pass.

/etc/pam.d/sudo:

#
#%PAM-1.0
#
auth       required   pam_env.so readenv=1 user_readenv=0
auth       required   pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0
#
# BEGIN TWO FACTOR AUTHENTICATION
# CSCF sudo authentication utilizes yubikey based two-factor authentication for most account with
# permission to utilize sudo.
#
# Local system accounts with sudo permission will not require a yubikey.
#
auth [default=1 success=ignore] pam_localuser.so
auth [default=2 success=done] pam_unix.so
#
# Non-local (Directory Services) accounts (permited to use sudo) will require a yubikey for sudo authentication alongside their
# personal kerberos password. The yubikey must be connected to a USB port on the user's session terminal.
#
# This may look counter-intuitive but the pam_yubico.so module can accept a PASSWORD + YUBIKEY combination when it prompts the user.
# The user types their kerberos password (WHAT I KNOW) followed by tapping their yubikey button (WHAT I HAVE).
# The YUBIKEY portion is parsed out of the subsequent authtoken and sent to one of the validation servers. The kerberos password
# is retained in the authtoken and forwarded to the subsequent pam_krb5.so module for authentication provided YUBIKEY validation succeeds.
#
auth [default=1 success=ok]  pam_yubico.so id=1 ldap_uri=ldap://ldap.cs.uwaterloo.ca/ [ldapdn=ou=CS,dc=cs,dc=uwaterloo,dc=ca] ldap_filter=sAMAccountName=%u yubi_attr=otherPager mode=client urllist=https://yubikey-val-2.cscf.uwaterloo.ca/wsapi/2.0/verify.php;https://yubikey-val-1.cscf.uwaterloo.ca/wsapi/2.0/verify.php;https://yubikey-val-3.cscf.uwaterloo.ca/wsapi/2.0/verify.php capath=/etc/ssl/certs
#
auth required pam_krb5.so use_first_pass
#
@include common-account
@include common-session-noninteractive
#

-- ClaytonTucker - 2015-09-01