Securing SSH and WordPress with two factor authentication

I wrote a post about using Google Authenticator for SSH a month ago. After writing this post, I started looking at other solutions in the space for two factor authentication.

YubikeyYubikeys are USB based, and require no device drivers. They work with Mac, Linux, or Windows and are priced starting at $25 each. Compared to the security gained — Yubikeys are inexpensive.

If your going to be at the Indiana Linux Fest this coming weekend (March 25-27th 2011), stop by and visit us — we have extra Yubikeys to spare.

  • Configuring WordPress For Two Factor Authentication
  • Configuring SSH For Two Factor Authentication
  • Configuring WordPress for Yubikey Two Factor Authentication

    Your PHP installation should have the Hash and Curl libraries enabled, otherwise this plugin won’t work.

    A Yubikey is required.

  • Create a Yubico ID & API Key.
  • Download, install and activate the Yubikey plugin for WordPress.
  • Enter Key ID on the Users -> Profile and Personal options page.
  • Enter Yubico ID & API key on the Settings -> Yubikey options page.
  • Your WordPress installation now has two factor authentication on a per user basis.

    Further details: http://henrik.schack.dk/yubikey-plugin/

    Configuring SSH for Two Factor Authentication

    You will need to install pam_yubico from the epel repo, or from source. I prefer the RPM based installation as shown below.

    Details on installing the epel yum repo can be found on the EPEL page:

    http://fedoraproject.org/wiki/EPEL#How_can_I_use_these_extra_packages

    Here is an example installation based on a CentOS 5 -32bit machine:

    $ wget http://download.fedoraproject.org/pub/epel/5/i386/epel-release-5-4.noarch.rpm
    $ sudo rpm -ihv epel-release-5-4.noarch.rpm

    You may need to enable the stable repo by editing the epel yum repo file
    $ sudo vi /etc/yum.repos.d/epel.repo

    Install the pam_yubico rpm
    $ sudo yum install pam_yubico

    Create a ‘yubikey’ group:
    $ sudo groupadd yubikey

    Add a user to this new group that will require Yubikey two factor auth:
    $ sudo usermod -G yubikey

    Edit /etc/pam.d/system-auth and add the following two lines to the beginning of the file. The first line is optional, but allows you to selectively allow yubikeys on a per user basis, based on unix groups.


    auth [success=1 default=ignore] pam_succeed_if.so quiet user notingroup yubikey
    auth required pam_yubico.so id=16 authfile=/etc/yubikey_mappings

    Edit /etc/yubikey_mappings and add the Yubikey Id’s that each user is allowed to use for authentication. You can use multiple Yubikeys for an individual user.


    username:[your yubikey 12 char id]:[another id]: [another id]: ..
    usernam2:[your yubikey 12 char id]:[another id]: [another id]: ..

    Important! You will want to stay logged into the server while you test in another shell. This will allow you to revert if necessary without locking you out.

    Testing — It is important to note. The yubikey PAM be default is splitting your password and yubikey ID on a single line when you are prompted for your password.

    $ ssh username@host
    username@host’s password:
    Last login: Mon Mar 21 12:34:56 2011 from 10.12.14.65
    [username@host ~]$

    For further details, check https://github.com/Yubico/yubico-pam