challenge-response | I See London, I See France

[NOTE: The typical warnings apply here. You can seriously lock yourself out of your system if you perform any of these steps incorrectly.]

Alright, so we’ve got the disk encryption set-up and your system automatically locks when you remove the YubiKey from the system. All that’s left is to force the login to require the YubiKey be in place (to append to the authentication step) and we have a somewhat locked-down system.

Assuming you left Slot 2 open for this, then you’ll do pretty much the same throughout this post; otherwise, change the slot numbers accordingly or you’ll nuke the key for the disk encryption and won’t starting over be just the bestest fun in the history of ever!?

O.k., so first things, first, we have to set-up the auth:

ykman otp chalresp -g 2

Now, we need to associate this with your user account.

ykpamcfg -2

Now, let’s first configure sudo to require the YubiKey. We’ll be using our favourite text editor for this, so the same steps to exit and save apply.

sudo nano /etc/pam.d/sudo

Append the red line to your config file.

session    required   pam_env.so readenv=1 user_readenv=0
session    required   pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0
auth    required        pam_yubico.so mode=challenge-response

Ctrl + X, Y to accept. DO NOT CLOSE THE WINDOW.

Before we go any futher we need to test your new combination. The reason why we don’t want to close the window is so that you can revert the config, if it doesn’t work. 🙂 Since you just elevated to sudo, you’ll still have it for ‘x’ time, which should be sufficient for the rest of this post.

So, pull the YubiKey out of the USB interface and run the following in your terminal:

sudo echo test

Even though you’re using the correct password, the authentication should fail. We want that to happen because the YubiKey’s not present.

Now, enter your YubiKey, open a new Terminal window, and run the same command again (be sure not to close the old one, just yet).

sudo echo test

With luck, this authentication attempt should be successful. If it isn’t: Do not pass go, do not collect $200. Revert the settings you made to the sudo file and start from scratch, again.

If the authentication was successful, then we just need to tell the system to require the YubiKey on login.

sudo nano /etc/pam.d/gdm-password

Add the line in red to your config (note the location: @include common-auth).

@include common-auth
auth    optional        pam_gnome_keyring.so
auth    required        pam_yubico.so mode=challenge-response

Close, accepting the changes on the way out.

…and that’s it. Give your system the good old reboot (sudo init 6, if you’re feeling frosty) and you should now, forever and always, be required to have your YubiKey inserted to login to your system or do anything that requires sudo.

You know, like a civilised human being.

Thanks for coming to this NERDTalk™ and happy Ubuntuing!

I See London, I See France

Just Another Person on the Internet's Rants

Menu

Tag Archives: challenge-response