ADMIN
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Nuts and Bolts<br />
PAM and Hardware<br />
the stolen number will not match the<br />
number on the system.<br />
Gentoo and Debian Linux offer prebuilt<br />
packages of this PAM library. In<br />
both cases, you can use the package<br />
manager to install, as described for<br />
pam_thinkfinger. Users on any other<br />
Linux distribution can download the<br />
current source code archive [3] and<br />
run make; make install to compile<br />
the required files and install them on<br />
the local system. Then you need to<br />
connect any USB device – it can be<br />
a cellphone with an SD card if you<br />
like – and store its properties in the<br />
/etc/pamusb.conf file. The command<br />
for this is<br />
pamusb‐conf ‐‐add‐device USB‐device‐name<br />
(Figure 6). The command<br />
pamusb‐conf ‐‐add‐user user<br />
lets you add more users to the configuration<br />
and generates a matching<br />
random number. The number for<br />
each user is stored both on the USB<br />
device and on the system. Also, the<br />
tool adds each user to the XML-based<br />
/etc/pamusb.conf configuration file.<br />
You can use the file to define actions<br />
for each user; these actions will<br />
run when the USB is plugged in or<br />
unplugged. For example, the entry<br />
in Listing 1 of the configuration file<br />
Listing 1: Configuration File for pam_usb<br />
01 <br />
02 <br />
03 /dev/sdb1<br />
04 <br />
05 gnome‐screensaver‐command<br />
‐‐lock<br />
06 gnome‐screensaver‐command<br />
‐‐deactivate<br />
07 <br />
Listing 2: USB Device-Based Authentication<br />
[tscherf@tiffy ~]$ id ‐u<br />
500<br />
[tscherf@tiffy ~]$ su ‐<br />
* pam_usb v0.4.2<br />
* Authentication request for user "root" (su‐l)<br />
* Device "/dev/sdb1" is connected (good).<br />
* Performing one time pad verification...<br />
* Verification match, updating one time pads...<br />
* Access granted.<br />
[root@tiffy ~]# id ‐u<br />
0<br />
automatically blocks the screen if the<br />
USB device is unplugged: Then You<br />
need to add the pam_usb PAM library<br />
to the corresponding PAM configuration<br />
file, /etc/pam.d/system‐auth or<br />
/etc/pam.d/common‐auth. If you use<br />
the sufficient control flag, users can<br />
log in to the system by plugging in<br />
the USB device, assuming the random<br />
number for the user matches on both<br />
devices (Listing 2).<br />
To enhance security, you can replace<br />
the sufficient control flag with required.<br />
This setting first looks for the<br />
USB device, but even if the device is<br />
identified correctly, PAM still prompts<br />
the user for a password in the next<br />
stage of the login process. Both of<br />
these tests have to complete successfully<br />
for the user to log in.<br />
All of the hardware-based login<br />
methods I have looked at thus far<br />
are easily set up, but they all have<br />
vulnerabilities, and it is easy to fake<br />
fingerprints. Also, USB sticks can be<br />
stolen, thereby putting an end to any<br />
security they offered. If you take your<br />
security seriously, you will probably<br />
want to use two-factor authentication.<br />
This method inevitably involves using<br />
chip cards with readers or USB tokens<br />
with one-time passwords and PINs.<br />
Yubikey<br />
A small company from Sweden,<br />
Yubico [4], recently started selling<br />
Yubikeys (Figure 7), which are small<br />
USB tokens that emulate a regular<br />
USB keyboard. The key has a button<br />
on top which, when pressed, tells the<br />
token to send a one-time password<br />
(OTP) to the active application, such<br />
as a login prompt on an SSH server<br />
or the login window of a web service.<br />
The OTP is verified in real time by a<br />
Yubico authentication server. Because<br />
the software was released under an<br />
open source license, you could theoretically<br />
set up your own authentication<br />
server on your LAN. This would<br />
remove the need for an Internet connection.<br />
The way the token works is quite<br />
simple. In contrast to popular RSA tokens,<br />
Yubikey doesn’t need a battery<br />
because the OTP is not generated on<br />
the fly; instead, one-time passwords<br />
are defined in advance. The passwords<br />
are stored on the token and<br />
in a database on the authentication<br />
server.<br />
When you press the Yubikey button,<br />
the key sends one of these OTPs to<br />
the active application, which then<br />
uses an API to access the server and<br />
verify the password. If this fails (Unknown<br />
Key) or if the password has<br />
already been used (Replayed Key), an<br />
error message is output and the login<br />
fails. If the server identifies the key<br />
as valid, it sets usage‐count to 1 and<br />
the user is authenticated. The user<br />
cannot login with this key anymore<br />
times.<br />
Because of the simple API, more<br />
and more applications are relying<br />
on authentication against the Yubico<br />
server. One example is the plugin for<br />
the popular WordPress blog, which<br />
allows users with a Yubikey to log in<br />
to the blog. A project from Google’s<br />
Summer of Code produced a PAM<br />
module that supports logging in to an<br />
SSH server [5].<br />
Instead of typing your user password<br />
at the login prompt, you simply press<br />
the button on the Yubikey to send a<br />
44-character, modhex-encoded password<br />
string to the SSH server. The<br />
server then verifies the string by querying<br />
the Yubico server. The first 12<br />
characters uniquely identify the user<br />
on the Yubikey server; the remaining<br />
32 characters represent the one-time<br />
password.<br />
You can define a central file on the<br />
SSH server to specify users permitted<br />
to log in by producing a Yubikey. To<br />
do so, first create a /etc/yubikey‐users.txt<br />
file with a username, a colon<br />
separator, and the matching Yubikey<br />
ID (i.e., the first 12 characters of the<br />
user’s OTP) for each user. Alternatively,<br />
users can create a file (~/.<br />
yubico/authorized_yubikeys) with<br />
the same information in their home<br />
directory.<br />
You need to configure PAM to verify<br />
the OTP against the Yubico server. To<br />
do so, add a line for the Yubikey to<br />
your /etc/pam.d/sshd file (Listing 3).<br />
The configuration shown in Listing<br />
3 runs this authentication in addition<br />
82 Admin 01 www.admin-magazine.com