This time on the show, using One-Time-Passwords in Linux for SSH authentication. We cover the theory and set up our server with a Yubikey. Plus, relay'ing without GatewayPorts, easily edit Known_Hosts, Free SSHFS in Windows and a ton more, this time on Hak5!

Download HD Download MP4

First and foremost, mad props to Matt Levavi who scoured forums and mailing lists to compile a simple how to. Here's the jist of setting up SSHD in Ubuntu to use authentication with a Yubikey.

mkdir ~/.yubico
sudo aptitude install autoconf libtool libusb-1.0-0-dev libcurl4-openssl-dev libpam-dev
# Download Yubico-pam, Yubico-c-client, Libyubikey and Yubikey-personalization
sudo autoreconf --install; ./configure; make; make install # in each directory with Yubico-pam being last
# Get an API key and passwd from https://upgrade.yubico.com/getapikey/
sudo vi /etc/pam.d/sshd # Find PAM configuration and add:
auth required pam_yubico.so id= key= debug
sudo vi /etc/pam.d/common-auth
# add "debug try_first_pass" to end of auth string
sudo vi /etc/ssh/sshd_config
# ensure PasswordAuthention yes and ChallengeResponseAuthentication no
sudo mv /usr/local/lib/security/pam_yubico.so /lib/security
sudo vi ~/yubico/authorized_yubikeys
# syntax: user:
sudo touch /var/run/pam-debug.log
chmod go+w /var/run/pam-debug.log
sudo service ssh restart

Leave a Reply

Your email address will not be published. Required fields are marked *

*

14 Comments

  • Daevien 2 years ago

    I think you may have broken Matt’s website, getting 403 error ;)

  • Great Episode!!!…
    FYI: the voting on this page (or on any page) does not work, it just says “please wait…” when you click on it. This has been broken for a long, long time on your website…
    please see if you can fix it.

  • Ashara 2 years ago

    Hi Darren & Shannon

    2 Words = That rocked!!!

    Hadoken!!!

  • james 2 years ago

    Any info on that pwdvi / pwvi program for editing the password file?

  • him1123 2 years ago

    Would like to see how to use google auth for ssh and regular login

  • James, vipw or vigr are two programs that help to manually modify the /etc/passwd and /etc/group files so that you don’t make a mistake and break your system. It performs a sanity check when exiting to make sure the file is formatted correctly.

  • What is the deal with the recent episodes of Hak5? They have become Darren pretty much conducting the episodes like a boring college lecture. It’s just him writing on the table with markers and Shannon saying “Ooooh Oookkk”. You would think the host of a Tech show would be teaching the audience… not one host boring the audience while teaching the other host! Used to be a big fan…..

  • And get off the SSH

  • And get off the SSH already…

  • And stop dropping the played-out references to shannon’s SSh Into Your Heart Song….

  • You forgot to mention in order for this to work the box you are connecting to must have internet connection to check key. Carefull guys this won’t work on a isolated box.

  • Okay, so I was watching this episode and started thinking of a way to make secure password.

    What not use time in the maths.

    like this:

    Password: 0001
    maths= x5 -4 x%time%= %password%

    time could be anything that is the current time, the date or both.

    i.e. 11:59:22 – Hours:Mintes:seconds or 05:04:2012 month:day:year or both 11:59:22:05:02:2012

    I really hate to think what that number might be, but you’d leave out the ‘:’ and just go with numbers, since the first lot would only need to be in two’s and the last would be four.

    Wait this is a stupid idea, right?