Difference between revisions of "Authentification"

From Blue-IT.org Wiki

(Created page with "== Yubikey == == SSH == Generally: only use key based authentification with webserver logins! vim /etc/ssh/sshd_config # Authentication: [...] PermitRootLogin without-p...")
 
 
(11 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
== Yubikey ==
 
== Yubikey ==
 +
 +
* https://www.yubico.com
 +
 +
Please read and make yourself familiar with OTP and the concept or '''Two Factor Authentification'''.
 +
 +
=== Troubleshooting ===
 +
 +
I got the error (on ubuntu 14.04):
 +
#> yubico-piv-tool -a status
 +
Failed to connect to reader.
 +
 +
This is a problem with USB: so put the Yubikey in another mode and reinsert it, install (see [[#Personalisation_Tool_and_basic_installation_on_Ubuntu]]) and start the yubico personalize tool (gui or cli) and do:
 +
 +
ykpersonalize -m82
 +
 +
Reinsert the key and you can go ...
 +
 +
=== Personalisation Tool and basic installation on Ubuntu ===
 +
 +
You can use a ppa to install the required software in '''Ubuntu''':
 +
 +
* https://launchpad.net/~yubico/+archive/ubuntu/stable
 +
* https://www.yubico.com/products/services-software/personalization-tools/use/
 +
 
 +
sudo apt-get install yubikey-personalization yubikey-personalization-gui yubikey-neo-manager yubioath-desktop ykneomgr yubico-piv-tool
 +
 +
[[Image:Yubi_unity.png]]
 +
 +
=== Owncloud ===
 +
 +
Two-factor authentication for ownCloud using one-time passwords (OTP) from Yubikey:
 +
 +
* http://www.sj-vs.net/two-factor-authentication-for-owncloud-using-one-time-passwords-otp-from-yubikey/
 +
 +
One Time Password Backend:
 +
 +
* https://apps.owncloud.com/content/show.php/One+Time+Password+Backend?content=159196
 +
 +
=== SSH  ===
 +
 +
SSH Authentication with YubiKey | Linux Action Show 373 from [https://www.youtube.com/watch?v=F3D1gqXPW98 Jupiter Broadcasting]
 +
* https://www.youtube.com/watch?v=F3D1gqXPW98
 +
* http://www.jupiterbroadcasting.com/85062/ssh-authentication-with-yubikey-las-373/
  
 
== SSH ==
 
== SSH ==
Generally: only use key based authentification with webserver logins!
+
Generally: only use key based authentification with your ssh-webserver login!
  
 
  vim /etc/ssh/sshd_config
 
  vim /etc/ssh/sshd_config
  
# Authentication:
 
 
  [...]
 
  [...]
 
  PermitRootLogin without-password
 
  PermitRootLogin without-password
Line 17: Line 59:
 
  RhostsRSAAuthentication no
 
  RhostsRSAAuthentication no
 
  HostbasedAuthentication no
 
  HostbasedAuthentication no
 
+
 
  PermitEmptyPasswords no
 
  PermitEmptyPasswords no
 
  ChallengeResponseAuthentication no
 
  ChallengeResponseAuthentication no
Line 24: Line 66:
 
  X11Forwarding no
 
  X11Forwarding no
 
  UseLogin no
 
  UseLogin no
 +
 +
'''UsePAM no'''  <<<< !!!!
  
'''UsePAM no'''  <<<< !!!!
+
[[Category:Security]]

Latest revision as of 21:24, 2 December 2015

Yubikey

Please read and make yourself familiar with OTP and the concept or Two Factor Authentification.

Troubleshooting

I got the error (on ubuntu 14.04):

#> yubico-piv-tool -a status
Failed to connect to reader. 

This is a problem with USB: so put the Yubikey in another mode and reinsert it, install (see #Personalisation_Tool_and_basic_installation_on_Ubuntu) and start the yubico personalize tool (gui or cli) and do:

ykpersonalize -m82 

Reinsert the key and you can go ...

Personalisation Tool and basic installation on Ubuntu

You can use a ppa to install the required software in Ubuntu:

sudo apt-get install yubikey-personalization yubikey-personalization-gui yubikey-neo-manager yubioath-desktop ykneomgr yubico-piv-tool

Yubi unity.png

Owncloud

Two-factor authentication for ownCloud using one-time passwords (OTP) from Yubikey:

One Time Password Backend:

SSH

SSH Authentication with YubiKey | Linux Action Show 373 from Jupiter Broadcasting

SSH

Generally: only use key based authentification with your ssh-webserver login!

vim /etc/ssh/sshd_config
[...]
PermitRootLogin without-password
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes

IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no

PermitEmptyPasswords no
ChallengeResponseAuthentication no
PasswordAuthentication no # <<<< !!!!

X11Forwarding no
UseLogin no

UsePAM no  <<<< !!!!