How to use a yubikey on OpenBSD

What is a yubikey

A yubikey is a cryptography token. It works by emitting a one time password (OTP). For more informations, you can look on their site.

My goal is to connect with ssh to my server without trusting the computer I'm on. So it's not possible to have a keypair neither to be sure there isn't any keylogger. This can be accomplished with the OTP as it's valid only once. If one try to use an OTP already use, the authentication system won't accept it making keyloggers useless.

Setting it up on OpenBSD

Sometimes, before I get into system administration, I think "oww I will have a hard time to make it working on OpenBSD" et most of the time, I'm wrong and it's really simple (that's one of the reason I love this OS).

For each step, I write what I remember (I may forget things) but read the man pages of the different software/config file which are needed in this how to, you'll certainly learn things which are usefull.

Installation

In fact, everything is already present in the system.

Be carefull

The software present on OpenBSD only enable to verify that the OTP comes from the right yubikey and that's valid (i.e. that it wasn't already used) but it won't communicate with any server. If you apply the setup the same thing on anoter server, ince they don't communicate with each other (this might possible, but as I didn't need it, I didn't look for it) you can use an OTP that was already used on another server, it won't be able to know it.

Tell the system which key you use

You need to indicate the informations about your key : in the Yubikey Personalization Tool, you need to look for Private identity and Secret key fields that you put in /var/db/yubikey/user.uid and /var/db/yubikey/user.key (with the name of your user, of course). Next we verify that the file is owned by root:auth.

Choosing for the login you want

Everything related to the configuration of the login is in /etc/login.conf. I've modified/added the following lines.

auth-defaults:auth=passwd,yubikey:
auth-ssh-defaults:auth-ssh=yubikey:
auth-su-defaults:auth-su=yubikey,passwd:
auth-sudo-defaults:auth-sudo=passwd,yubikey:

The first line is the different way to be authenticated by default. By default it's by password, but we can use the yubikey. For SSH it's only via yubikey. For su and sudo, it's with either the password or the yubikey (the default here is the yubikey for su and the password for sudo, you use the second way with the -a passwd or -a yubikey.

Then you just need to add theses to auth classes. For instance in the default classe I added the following:

:tc=auth-defaults:\
:tc=auth-ftp-defaults:\
:tc=auth-su-defaults:\
:tc=auth-ssh-defaults:\
:tc=auth-sudo-defaults:

Conclusion

Now you should be able to log in your OpenBSD system with your yubikey.

In /var/log/authlog you should see:

Jun 28 12:38:41 manoir yubikey: user monuser: counter 300.0 > 299.0
Jun 28 12:38:41 manoir yubikey: user monuser: authorize
Jun 28 12:38:41 manoir sshd[1405]: Accepted password for monuser from ip.src.v.4 port 34567 ssh2

We can see the counter being incremented so the OTV is valid only once. If you try to use a OTP already used, you will see:

Jun 29 20:28:21 manoir yubikey: user monuser: counter 306.0 <= 306.0 (REPLAY ATTACK!)
Jun 29 20:28:21 manoir yubikey: user monuser: reject
Jun 29 20:28:21 manoir sshd[640]: Failed password for monuser from 10.19.18.1 port 55526 ssh2

So you can connect from any computer without giving it your password \o/

By Vigdis in [ Tech ] Sat 29 June 2013
Tags : #OpenBSD, #yubikey, #ssh,
linkedin email