This time on the show, using One-Time-Passwords in Linux for SSH authentication. We cover the theory and set up our server with a Yubikey. Plus, relay'ing without GatewayPorts, easily edit Known_Hosts, Free SSHFS in Windows and a ton more, this time on Hak5!

Download HD Download MP4

First and foremost, mad props to Matt Levavi who scoured forums and mailing lists to compile a simple how to. Here's the jist of setting up SSHD in Ubuntu to use authentication with a Yubikey.

mkdir ~/.yubico
sudo aptitude install autoconf libtool libusb-1.0-0-dev libcurl4-openssl-dev libpam-dev
# Download Yubico-pam, Yubico-c-client, Libyubikey and Yubikey-personalization
sudo autoreconf --install; ./configure; make; make install # in each directory with Yubico-pam being last
# Get an API key and passwd from https://upgrade.yubico.com/getapikey/
sudo vi /etc/pam.d/sshd # Find PAM configuration and add:
auth required pam_yubico.so id= key= debug
sudo vi /etc/pam.d/common-auth
# add "debug try_first_pass" to end of auth string
sudo vi /etc/ssh/sshd_config
# ensure PasswordAuthention yes and ChallengeResponseAuthentication no
sudo mv /usr/local/lib/security/pam_yubico.so /lib/security
sudo vi ~/yubico/authorized_yubikeys
# syntax: user:
sudo touch /var/run/pam-debug.log
chmod go+w /var/run/pam-debug.log
sudo service ssh restart

Leave a Reply

Your email address will not be published. Required fields are marked *

*

14 Comments

  • Daevien 1 year ago

    I think you may have broken Matt’s website, getting 403 error ;)

    • guest 1 year ago

      says video is not available. the mp4 link says 404

  • Zuse 1 year ago

    Great Episode!!!…
    FYI: the voting on this page (or on any page) does not work, it just says “please wait…” when you click on it. This has been broken for a long, long time on your website…
    please see if you can fix it.

  • Ashara 1 year ago

    Hi Darren & Shannon

    2 Words = That rocked!!!

    Hadoken!!!

  • james 1 year ago

    Any info on that pwdvi / pwvi program for editing the password file?

  • him1123 1 year ago

    Would like to see how to use google auth for ssh and regular login

  • Eric 1 year ago

    James, vipw or vigr are two programs that help to manually modify the /etc/passwd and /etc/group files so that you don’t make a mistake and break your system. It performs a sanity check when exiting to make sure the file is formatted correctly.

  • BDIZ 1 year ago

    What is the deal with the recent episodes of Hak5? They have become Darren pretty much conducting the episodes like a boring college lecture. It’s just him writing on the table with markers and Shannon saying “Ooooh Oookkk”. You would think the host of a Tech show would be teaching the audience… not one host boring the audience while teaching the other host! Used to be a big fan…..

  • BDIZ 1 year ago

    And get off the SSH

  • BDIZ 1 year ago

    And get off the SSH already…

  • BDIZ 1 year ago

    And stop dropping the played-out references to shannon’s SSh Into Your Heart Song….

  • Fuxy 1 year ago

    You forgot to mention in order for this to work the box you are connecting to must have internet connection to check key. Carefull guys this won’t work on a isolated box.

  • Okay, so I was watching this episode and started thinking of a way to make secure password.

    What not use time in the maths.

    like this:

    Password: 0001
    maths= x5 -4 x%time%= %password%

    time could be anything that is the current time, the date or both.

    i.e. 11:59:22 – Hours:Mintes:seconds or 05:04:2012 month:day:year or both 11:59:22:05:02:2012

    I really hate to think what that number might be, but you’d leave out the ‘:’ and just go with numbers, since the first lot would only need to be in two’s and the last would be four.

    Wait this is a stupid idea, right?