Securing SSH and WordPress with two factor authentication
I wrote a post about using Google Authenticator for SSH a month ago. After writing this post, I started looking at other solutions in the space for two factor authentication.
Yubikeys are USB based, and require no device drivers. They work with Mac, Linux, or Windows and are priced starting at $25 each. Compared to the security gained — Yubikeys are inexpensive.
If your going to be at the Indiana Linux Fest this coming weekend (March 25-27th 2011), stop by and visit us — we have extra Yubikeys to spare.
Configuring WordPress for Yubikey Two Factor Authentication
Your PHP installation should have the Hash and Curl libraries enabled, otherwise this plugin won’t work.
A Yubikey is required.
Your WordPress installation now has two factor authentication on a per user basis.
Further details: http://henrik.schack.dk/yubikey-plugin/
Configuring SSH for Two Factor Authentication
You will need to install pam_yubico from the epel repo, or from source. I prefer the RPM based installation as shown below.
Details on installing the epel yum repo can be found on the EPEL page:
Here is an example installation based on a CentOS 5 -32bit machine:
$ wget http://download.fedoraproject.org/pub/epel/5/i386/epel-release-5-4.noarch.rpm
$ sudo rpm -ihv epel-release-5-4.noarch.rpm
You may need to enable the stable repo by editing the epel yum repo file
$ sudo vi /etc/yum.repos.d/epel.repo
Install the pam_yubico rpm
$ sudo yum install pam_yubico
Create a ‘yubikey’ group:
$ sudo groupadd yubikey
Add a user to this new group that will require Yubikey two factor auth:
$ sudo usermod -G yubikey
Edit /etc/pam.d/system-auth and add the following two lines to the beginning of the file. The first line is optional, but allows you to selectively allow yubikeys on a per user basis, based on unix groups.
auth [success=1 default=ignore] pam_succeed_if.so quiet user notingroup yubikey
auth required pam_yubico.so id=16 authfile=/etc/yubikey_mappings
Edit /etc/yubikey_mappings and add the Yubikey Id’s that each user is allowed to use for authentication. You can use multiple Yubikeys for an individual user.
username:[your yubikey 12 char id]:[another id]: [another id]: ..
usernam2:[your yubikey 12 char id]:[another id]: [another id]: ..
Important! You will want to stay logged into the server while you test in another shell. This will allow you to revert if necessary without locking you out.
Testing — It is important to note. The yubikey PAM be default is splitting your password and yubikey ID on a single line when you are prompted for your password.
$ ssh username@host
Last login: Mon Mar 21 12:34:56 2011 from 10.12.14.65
For further details, check https://github.com/Yubico/yubico-pam