Denna guide kommer beskriva hur man i ubuntu konfiguerar s\u00e5 man f\u00e5r tv\u00e5stegsverifiering (two facto authentication) via SSH. Exemplet nedan \u00e4r utf\u00f6rt p\u00e5 en Ubuntu 12.04 server installation tillsammans med en yubikey standard.<\/p>\n
<\/p>\nSteg 1: Installera n\u00f6dv\u00e4ndiga paket<\/h3>\n
<\/b>
\nF\u00f6r att detta ska fungera m\u00e5ste man installera n\u00e5gra paket f\u00f6r att kunna anv\u00e4nda yubikeyn se nedan.<\/p>\n
sudo apt-get install libpam-yubico libykclient3<\/p><\/blockquote>\n
Verifiera nu att paketen installerats korekt och kolla s\u00e5 du har filen enligt nedan exempel<\/p>\n
ls -la \/lib\/security\/pam_yubico.so
\n-rw-r–r– 1 root root 35416 Feb 15 2012 \/lib\/security\/pam_yubico.so<\/p><\/blockquote>\nHar du filen kan du g\u00e5 vidare till n\u00e4sta steg.
\n
\n<\/p>\nSteg 2: Koppla anv\u00e4ndare till yubikey inloggning<\/h3>\n
<\/b>
\nInnan vi konfigurerar SSH ska vi konfigurerar anv\u00e4ndare f\u00f6r yubikey. G\u00f6r enligt nedan exempel men anv\u00e4nd korekt anv\u00e4ndarnamn.<\/p>\nmkdir \/home\/username\/.yubico\/
\ntouch \/home\/username\/.yubico\/authorized_yubikeys
\nchmod 700 \/home\/username\/.yubico\n<\/p><\/blockquote>\nNu ska vi l\u00e4gga in anv\u00e4ndare i filen och koppla till din yubikey. G\u00e5 in i filen vi skapade ovan med en texteditor se nedan<\/p>\n
nano \/home\/username\/.yubico\/authorized_yubikeys<\/p><\/blockquote>\n
Syntaxen i filen \u00e4r enligt nedan exempel
\nusername:yubikey id
\nVill man ha flera yubikeys kopplade p\u00e5 samma anv\u00e4ndare g\u00f6r man enligt nedan
\nusername:yubikey id:yubikey id<\/p>\nExempel<\/p>\n
ubuntu:ccccccbdefgh
\nF\u00f6r flera yubikeys p\u00e5 samma anv\u00e4ndare
\nubuntu:ccccccbdefgh:ccccccbddfef<\/p><\/blockquote>\nYubikey ID f\u00e5r man av att ta en OTP fr\u00e5n sin yubikey och ta dom f\u00f6rsta 12 tecknen i OTPn det \u00e4r ID:t.
\nG\u00f6r ovan steg f\u00f6r dom anv\u00e4ndare som ska k\u00f6ra yubikey.<\/p>\n<\/p>\n
Steg 3: Konfigurera SSH pam.d f\u00f6r yubikey<\/h3>\n
<\/b>
\nNu m\u00e5ste vi konfigurera SSH att anv\u00e4nda yubikey PAM modul. G\u00e5 in i filen med valfri editor \/etc\/pam.d\/sshd
\nL\u00e4gg till en ny rad i b\u00f6rjan av filen som ska likna nedan exempelrad.<\/p>\nExempel (OBS! detta \u00e4r en rad inte tv\u00e5 s\u00e5 se till att det blir r\u00e4tt i filen)<\/p>\n
auth required pam_yubico.so id=2458 key=ure8aX7mdExlmO0q44idqEICIuE= url=http:\/\/api.yubico.com\/wsapi\/2.0\/verify?id=%d&otp=%s<\/p><\/blockquote>\n
Notera att man m\u00e5ste byta ut key v\u00e4rdet allts\u00e5 det efter key= och id= till det som motsvarar det som h\u00f6r till din yubikey. F\u00f6r att skaffa ett yubikey id \/ key s\u00e5 g\u00e5r man in p\u00e5 nedan URL.
\nhttps:\/\/upgrade.yubico.com\/getapikey\/<\/a><\/p>\nNote:<\/b>
\nI exemplet ovan anv\u00e4nder jag required<\/b> och det betyder att man m\u00e5ste logga in med yubikey OTP + l\u00f6ssenord allts\u00e5 tv\u00e5stegsverifiering. Man kan anv\u00e4nda sufficient<\/b> ist\u00e4llet d\u00e5 kr\u00e4vs bara att man anger yubikey OTP och inget l\u00f6ssenord kr\u00e4vs allts\u00e5 env\u00e4gsverifiering.
\n
\n<\/p>\nSteg 4: Konfigurera SSHd<\/h3>\n
<\/b>
\nVi m\u00e5ste \u00e4ndra tre v\u00e4rden i \/etc\/ssh\/sshd_config<\/b> se nedan<\/p>\n\nPermitEmptyPasswords no
\nChallengeResponseAuthentication yes
\nUsePAM yes<\/p><\/blockquote>\nDet finns dock n\u00e5gra olika kombinationer f\u00f6r olika typer av inloggning se nedan.<\/p>\n
Nedan tv\u00e5 \u00e4r t\u00e4nkta att anv\u00e4ndas med sufficient<\/b> f\u00f6r pam_yubikey fr\u00e5n steg 3.
\n1: Env\u00e4gsverifiering med yubikey med l\u00f6ssenord avst\u00e4ngt<\/b><\/p>\nPasswordAuthentication no<\/p><\/blockquote>\n
2: Env\u00e4gsverifiering med yubikey ELLER l\u00f6ssenord<\/b><\/p>\n
PasswordAuthentication yes<\/p><\/blockquote>\n
Detta kr\u00e4ver att man anv\u00e4nder sig av required<\/b> i pam_yubikey f\u00f6r sshd fr\u00e5n steg 3.
\n3: Tv\u00e5stegsverifiering med yubikey OCH l\u00f6ssenord<\/b><\/p>\nPasswordAuthentication yes<\/p><\/blockquote>\n
<\/p>\n
Steg 5: Starta om SSHd<\/h3>\n
<\/b>
\nF\u00f6r att nu aktivera detta s\u00e5 m\u00e5ste vi starta om SSHd g\u00f6r det med nedan kommando.<\/p>\nsudo service ssh restart<\/p><\/blockquote>\n
<\/p>\n
Steg 6: Testa l\u00f6seningen<\/h3>\n
<\/b>
\nNu \u00e5terst\u00e5r bara att testa om det fungerar som det ska. Anslut med ssh mot din server och se om det du konfigurerat fungerar se exempel nedan.<\/p>\n\nusername1@host1:~$ ssh username2@host2
\nYubikey for `username2′:
\nPassword:
\nWelcome to Ubuntu 12.04.3 LTS (GNU\/Linux 3.2.0-57-generic x86_64)<\/p>\nLast login: Tue Dec 10 13:20:39 2013 from host1
\nusername2@host2:~$\n<\/p><\/blockquote>\nOvan ser man att man f\u00f6rst f\u00e5r skicka in en Yubikey OTP och sedan \u00e4ven ange l\u00f6ssenord f\u00f6r username2 anv\u00e4ndaren.<\/p>\n
<\/p>\n
Slutsats:<\/h3>\n
<\/b>
\nNu om allt fungerar som det ska \u00e4r nu tv\u00e5stegsverifiering aktiverat via SSH p\u00e5 din Ubuntu server. Undrar ni n\u00e5got eller har synpunkter s\u00e5 l\u00e4mna en komentar eller maila mig.<\/p>\n<\/p>\n
K\u00e4llor:<\/h3>\n
<\/b>
\nhttps:\/\/github.com\/Yubico\/yubico-pam\/wiki\/YubikeyAndSSHViaPAM<\/a>
\nhttp:\/\/forum.yubico.com\/viewtopic.php?t=822<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"Denna guide kommer beskriva hur man i ubuntu konfiguerar s\u00e5 man f\u00e5r tv\u00e5stegsverifiering (two facto authentication) via SSH. Exemplet nedan \u00e4r utf\u00f6rt p\u00e5 en Ubuntu 12.04 server installation tillsammans med en yubikey standard. Steg 1: Installera n\u00f6dv\u00e4ndiga paket F\u00f6r att detta ska fungera m\u00e5ste man installera n\u00e5gra paket f\u00f6r att kunna anv\u00e4nda yubikeyn se nedan. […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[5,4,1],"tags":[76,81,80],"class_list":["post-1792","post","type-post","status-publish","format-standard","hentry","category-how-tos","category-it","category-random-stuff","tag-ssh","tag-ubuntu","tag-yubikey"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/blogg.itslav.nu\/index.php?rest_route=\/wp\/v2\/posts\/1792","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blogg.itslav.nu\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogg.itslav.nu\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogg.itslav.nu\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/blogg.itslav.nu\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1792"}],"version-history":[{"count":24,"href":"https:\/\/blogg.itslav.nu\/index.php?rest_route=\/wp\/v2\/posts\/1792\/revisions"}],"predecessor-version":[{"id":1872,"href":"https:\/\/blogg.itslav.nu\/index.php?rest_route=\/wp\/v2\/posts\/1792\/revisions\/1872"}],"wp:attachment":[{"href":"https:\/\/blogg.itslav.nu\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1792"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogg.itslav.nu\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1792"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogg.itslav.nu\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1792"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}