Skip to content

Instantly share code, notes, and snippets.

@mopemope

mopemope/file0.txt

Created Sep 18, 2015
Embed
What would you like to do?
YubiKey NEO で Linux でも 2段階認証しよう! ref: http://qiita.com/mopemope/items/779a5a4da734914b9cd0
$ packer -S yubikey-personalization yubikey-personalization-gui yubikey-neo-manager
$ yubikey-personalization-gui
$ ssh -YC ma2@xxxxxxx
Authenticated with partial success.
YubiKey for `ma2':
auth sufficient pam_yubico.so mode=challenge-response chalresp_path=/etc/yubico
$ ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible
...
Commit? (y/n) [n]: y
$
$ mkdir $HOME/.yubico
$ ykpamcfg -2 -v
...
Stored initial challenge and expected response in '/home/user/.yubico/challenge-123456'.
$
$ mkdir /etc/yubico
$ chmod +t /etc/yubico
$ chmod 777 /etc/yubico
$ mv /home/user/.yubico/challenge-####### /etc/yubico/username-#######
...
auth required pam_u2f.so authfile=/etc/u2f_mappings
<username1>:<KeyHandle1>,<UserKey1>:<KeyHandle2>,<UserKey2>:...
<username2>:<KeyHandle1>,<UserKey1>:<KeyHandle2>,<UserKey2>:...
$ pamu2fcfg -u <username>
$ sudo ls
Please touch the device.
$ udevadm monitor --environment –udev
$ neoman
# Yubikey Udev Rule: running a bash script in case your Yubikey is removed
ACTION=="remove", ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}=="0116", ENV{ID_SERIAL_SHORT}=="00000000000", RUN+="/usr/local/bin/yubikey-lock"
#!/bin/bash
user=`ps aux | grep -v root | grep gdm-x-session | head -n 1 | awk '{print $1}'`
sessionid=`/bin/loginctl list-sessions | grep ${user} | awk '{print $1}'`
if [ -z "$(lsusb | grep Yubico)" ]; then
logger "YubiKey Removed"
/bin/loginctl lock-session $sessionid
fi
$ packer -S yubico-pam pam_u2f
auth sufficient pam_yubico.so id={Your ID} key={Your Key} authfile=/etc/yubikey_mappings
<first user name>:<Yubikey token ID1>:<Yubikey token ID2>:….
<second user name>:<Yubikey token ID3>:<Yubikey token ID4>:….
$ cccccccgklgcvnkcvnnegrnhgrjkhlkfhdkclfncvlgj
bash: cccccccgklgcvnkcvnnegrnhgrjkhlkfhdkclfncvlgj: command not found
`Modhex encoded: XXXXXXX`
auth required pam_yubico.so id=xxxxxx key=xxxxxxxxxxxxxxxxxxxxxx authfile=/etc/yubikey_mappings
auth include system-remote-login
account include system-remote-login
password include system-remote-login
session include system-remote-login
...
UsePAM yes
PasswordAuthentication no
ChallengeResponseAuthentication yes
AuthenticationMethods publickey,keyboard-interactive
...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.