In a previous article, I've described a way to setup an OpenID provider using SimpleID. Its only major drawback was the lack of support for any strong authentication ... since today. I've patched and released a version with Yubikey One-Time Password support.

This version is based on the latest released version available on the official SimpleID website: 0.7.1 and also include patches to work correctly with PHP 5.3.1.
I will contact the author to see if he's interested in this feature and if he wants these patches to be included in the official SimpleID tree, but if for any reason they would not be accepted, i'll keep my git repository up-to-date with any future release.

More interesting than a long blahblah here is the git repository : http://github.com/adedommelin/simpleid-yubikey

Please take 2 minutes to read the small README as it explains how to associate your key to your OpenID Identity.

Thanks to the Geneva Application Security Forum, I'm now a proud owner of a Yubikey. This small USB token acts as an OTP (One-Time Password) generator. I'll present you a quick solution to use it within OpenSSH for Two-Factor (T-FA) authentication.

What is Two-Factor authentication ?

An authentication factor is a piece of information and process used to authenticate or verify the identity of a person or other entity requesting access under security constraints. Two-factor authentication (T-FA) or (2FA) is a system wherein two different factors are used in conjunction to authenticate. Using two factors as opposed to one factor generally delivers a higher level of authentication assurance. Two-factor authentication typically is a signing-on process where a person proves his or her identity with two of the three methods: "something you know" (e.g., password or PIN), "something you have" (e.g.,smartcard or token), or "something you are" (e.g., fingerprint or iris scan).

How does the Yubikey work ?

A Yubikey is a small USB HID device which is seen as a generic keyboard (no driver needed) with a small button. Each time the button is pressed it generates a one-time password secured using AES-128 encryption and ModHex encoding. For more details, you can have a look at this detailed article.

How to integrate a Yubikey in the SSH login process ?

There is various solutions available, one of them is to use the a PAM module, but it's still in development and users reports some crashes, so it doesn't sound a very good solution to me at this time.
The other solution (the one I'll present in this article) was to develop a script which will be invoked at each login, before giving a shell to the user, which will check the OTP.

Ok ... ok ! But how can I use it with my OpenSSH server ?

Here is the way my solution works : I've added a group called "yubikey" on the system. The SSH server will execute the authentication script for all the members of this group on each login (this is done using the sshd_config Match directive). The script will ask the user to generate an OTP using his Yubikey, check if this key is authorized for this user, parsing ~/.ssh/trusted_yubikeys then proceed to the validation of the password. If everything is fine the script gives the user his shell.
Here are all the steps in detail :

Create the group :

$ groupadd yubikey

Add your user inside the group :

$ adduser mon_user yubikey

Specify the trusted keys for this user :

$ cd /home/mon_user/.ssh
$ echo "yubikeyid" >> trusted_yubikeys

Create the script in /usr/local/bin/yubikey.sh :

#!/bin/bash # # (c) 2010 Alexandre De Dommelin # # This program is free software. It comes without any warranty, to # the extent permitted by applicable law. You can redistribute it # and/or modify it under the terms of the Do What The Fuck You Want # To Public License, Version 2, as published by Sam Hocevar. See # http://sam.zoy.org/wtfpl/COPYING for more details. # YUBICO_API_ID="XXXX" TRUSTED_KEYS_FILE="$HOME/.ssh/trusted_yubikeys" STD="\\033[0;39m" OK="\\033[1;32m[i]$STD" ERR="\\033[1;31m[e]$STD" ################################################## ## Disconnect clients trying to exit the script ## ################################################## trap disconnect INT disconnect() { sleep 1 kill -9 $PPID exit 1 } echo "" echo "** One-Time Password Validation Step **" echo "" echo -n "Please provide Yubi OTP then enter Ctrl-d: " OTP=`tr -c -d a-z < /dev/tty` KEY_ID=${OTP:0:12} #################################### ## Get user-trusted yubikeys list ## #################################### if [ ! -f $TRUSTED_KEYS_FILE ] then echo -e "$ERR Unable to find trusted keys list" disconnect else TRUSTED_KEYS=`cat $TRUSTED_KEYS_FILE` fi ####################################### ## Iterate through trusted keys list ## ####################################### for trusted in ${TRUSTED_KEYS[@]} do if [ $KEY_ID = $trusted ] then echo -e "$OK Found key in $TRUSTED_KEYS_FILE - validating OTP now ..." if wget "https://api.yubico.com/wsapi/verify?id=$YUBICO_API_ID&otp=$OTP" -O - 2> /dev/null | grep "status=OK" > /dev/null then echo -e "$OK OTP validated" exec `grep "^$(whoami)" /etc/passwd | cut -d ":" -f 7` else echo -e "$ERR Unable to validate generated OTP" > /dev/stderr sleep 1 disconnect fi fi done echo -e "$ERR Key not trusted" > /dev/stderr disconnect

Give it the right permissions :

$ chmod 755 /usr/local/bin/yubikey.sh

Configure /etc/ssh/sshd_config with this parameters :

Match group yubikey
        ForceCommand /usr/local/bin/yubikey.sh

Then restart SSH server :

$ /etc/init.d/ssh restart

Important notes

• Keep an active SSH session during your tests :-)
• You have to put your API ID in YUBICO_API_ID inside the script. API ID can be obtained at api.yubico.com
• Make sure that ~/.ssh/trusted_keys is readable by the matching user
• Of course, you can use your own validation server, just adapt the script accordingly
• I'm not responsible of what you do, this script works for me, but it comes with no warranty, if your dog die tomorrow or anything else like that don't blame me
• Updated versions will be commited to my Github repository