21 Mar 2011

Securing SSH and WordPress with two factor authentication 

By - Security 4 Comments

I wrote a post about using Google Authenticator for SSH a month ago. After writing this post, I started looking at other solutions in the space for two factor authentication.

YubikeyYubikeys are USB based, and require no device drivers. They work with Mac, Linux, or Windows and are priced starting at $25 each. Compared to the security gained — Yubikeys are inexpensive.

If your going to be at the Indiana Linux Fest this coming weekend (March 25-27th 2011), stop by and visit us — we have extra Yubikeys to spare.

  • Configuring WordPress For Two Factor Authentication
  • Configuring SSH For Two Factor Authentication
  • Configuring WordPress for Yubikey Two Factor Authentication

    Your PHP installation should have the Hash and Curl libraries enabled, otherwise this plugin won’t work.

    A Yubikey is required.

  • Create a Yubico ID & API Key.
  • Download, install and activate the Yubikey plugin for WordPress.
  • Enter Key ID on the Users -> Profile and Personal options page.
  • Enter Yubico ID & API key on the Settings -> Yubikey options page.
  • Your WordPress installation now has two factor authentication on a per user basis.

    Further details: http://henrik.schack.dk/yubikey-plugin/

    Configuring SSH for Two Factor Authentication

    You will need to install pam_yubico from the epel repo, or from source. I prefer the RPM based installation as shown below.

    Details on installing the epel yum repo can be found on the EPEL page:

    http://fedoraproject.org/wiki/EPEL#How_can_I_use_these_extra_packages

    Here is an example installation based on a CentOS 5 -32bit machine:

    $ wget http://download.fedoraproject.org/pub/epel/5/i386/epel-release-5-4.noarch.rpm
    $ sudo rpm -ihv epel-release-5-4.noarch.rpm

    You may need to enable the stable repo by editing the epel yum repo file
    $ sudo vi /etc/yum.repos.d/epel.repo

    Install the pam_yubico rpm
    $ sudo yum install pam_yubico

    Create a ‘yubikey’ group:
    $ sudo groupadd yubikey

    Add a user to this new group that will require Yubikey two factor auth:
    $ sudo usermod -G yubikey

    Edit /etc/pam.d/system-auth and add the following two lines to the beginning of the file. The first line is optional, but allows you to selectively allow yubikeys on a per user basis, based on unix groups.


    auth [success=1 default=ignore] pam_succeed_if.so quiet user notingroup yubikey
    auth required pam_yubico.so id=16 authfile=/etc/yubikey_mappings

    Edit /etc/yubikey_mappings and add the Yubikey Id’s that each user is allowed to use for authentication. You can use multiple Yubikeys for an individual user.


    username:[your yubikey 12 char id]:[another id]: [another id]: ..
    usernam2:[your yubikey 12 char id]:[another id]: [another id]: ..

    Important! You will want to stay logged into the server while you test in another shell. This will allow you to revert if necessary without locking you out.

    Testing — It is important to note. The yubikey PAM be default is splitting your password and yubikey ID on a single line when you are prompted for your password.

    $ ssh username@host
    username@host’s password:
    Last login: Mon Mar 21 12:34:56 2011 from 10.12.14.65
    [username@host ~]$

    For further details, check https://github.com/Yubico/yubico-pam

    4 Responses to “Securing SSH and WordPress with two factor authentication”

    1. hilton says:

      The passwords that Yubikey generates when in OTP mode can be stored and then used later, hence they are not strictly one time passwords.

      This means that if someone gets hold of your yubikey they can generate some codes and can then take those codes and use them later..

    2. nwilkens says:

      Hilton,

      I posed this question to Yubico, and received the response below. The main point being you can use timedelta information included in the OTP to secure against the attack you describe by expiring valid OTPs.

      1) The Yubico OTP and OATH HOTP have the same property, namely both are “event based one-time password systems”. There are other event-based one-time password systems too, e.g., S/Key (RFC 1760). The “one-time” in OTP refers to how many times the password is used, not that the OTP is only valid at a certain point in time.

      2) When the YubiKey is configured with a Yubico OTP credential, the YubiKey provides timing information, which can be used to improve on the otherwise event based nature. See http://timedelta.yubico.com/

      3) It is true that the YubiKey does not protect against all kinds of attacks. Please see the security evaluation at http://static.yubico.com/var/uploads/pdfs/Security_Evaluation_2009-09-09.pdf for a more in depth analysis of which attacks the YubiKey is designed to prevent, and which it is not.

    3. strahd says:

      Hilton
      Yubikey is basically encrypting and ever increasing counter within the key. When a server accepts they OTP, it stores the value decrypted from the OTP. It will then never accept a OTP with a lower or equal number. The generated OTP cannot be reused.

      However, you are correct in a way. If I get your yubikey and generate some OTPs and then use them before you next login, they will work. However, if you have done this and I do login, then none of the OTP strings you captured will work.

      It is intended as part of a two-factor authentication system.

    4. Matt says:

      There is a new website authentication method https://www.shieldpass.com with a WordPress plugin which is superior to the Yubikey security method. The access cards ($9 delivery included) are placed onto the screen to see the encoded dynamic login numbers. Its advantage over OTP methods like Yubikey is that it is also able to do transaction authentication by being able to encode specific authentication information into the OTP challenge thereby preventing MITM or MITB attacks which would bypass OTP authentication. Personally I find it more convenient to carry and use for example I can login to my admin with any mobile phone which I cant with do my usb based Yubikey. There are other small issues like my workplace blocks usb ports due to theft / viruses and also ive found some security software actively blocks anything pretending to be a usb keyboard due to the teensy usb drama. I like Yubico but Shieldpass is cheaper and more secure.

    Leave a Reply