/ Andreas | System administrator /

One of the keys I carry around on my keyring is a YubiKey. This post really isn’t about the YubiKey itself, but more about me sharing a few insights I’ve gained on using the key.

• If you already run a WordPress blog you can easily turn it into an OpenID provider to be used with your YubiKey.  What you need is the OpenID plugin and the YubiKey plugin.
• If you decide to personalize your YubiKey I can very much recommend the DuckCorp YubikeyHelp, in addition to the official documentation.
• The new 2.x version of yubikey-val-server-php seems to prefer being part of a group of validation servers, being kept in sync with each other. Failing to figure out how to configure my standalone installation to disregard that synchronization I modified ykval-verify.php (see patch) not to perform those checks.
• The YubiKey WordPress plugin mentioned earlier is hardcoded into using the official Yubico validation server. Apart from  the validation URL, set in the function yubikey_verify_otp(), there is also the length of the key id. Just look for the numeric value 12 and you will find where the key id is being used.

No, this post is not meant to make sense on its own. You probably need to be at least somewhat familiar with the YubiKey as well as the services provided by Yubico.

Been looking for a simple way to enabling  S/Key support in Linux. Once I found out the magical keyboards being OPIE and PAM it became almost trivial to allow ssh-logins using One Time Passwords (OTP).

The following instructions are specifically written to apply on Debian and Ubuntu. On a general note the concept should work on any Linux system using OpenSSH and PAM.

First of all you should install the package opie-server. It will give you the necessary PAM-module and some accompanying tools.

Now edit /etc/pam.d/ssh, remove (comment) the inclusion of common-auth, and add these lines.

auth       sufficient pam_unix.so
auth       sufficient pam_opie.so
auth       required  pam_deny.so

If you only want allow OTP-logins; this line will do.

auth       required   pam_opie.so

Next it’s time to edit /etc/ssh/sshd_config.

ChallengeResponseAuthentication yes

That’s it. Restart your sshd and it will be ready to accept OTP-logins. To initialize a user; run opiepasswd (equivivalent of keyinit). Responses are generated using opiekey.

Client-side it’s usually enough to install the package opie-client.

I really like the concept of OpenID. From a technical point of view it’s a beautiful solution as it takes a creative approach on authentication while still relying on existing (and proven) technologies. Then there is the part about it having the potential of making my, and others, life easier. It would be awfully nice not having to use a separate login for every forum, wiki, etc I happen to visit now and then.

While there are lots of official support for the standard and plenty of OpenID providers available, the web sites where you can actually use your OpenID are still few. If you operate a web site which require visitors to login, please take a close look at OpenID. I would most definitely like to be able to use my OpenID more.

Myself I work on a project which, among other things, hopefully will enable OpenID login at the Swedish Ubuntu LoCo. In case you happen to be familiar with the language, you can read more about it in the thread OpenID, SSO, etc för ubuntu-se.org.

Yes, I would really appreciate it if you took a closer look at OpenID.