The YubiKey, from Yubico is a small USB device which is about the size of a small flash drive, and which emits OTP strings when the button is depressed. The device can also be reprogrammed to offer static passwords and the new 2.0 version has a very handy management application available. The device is compatible with most recent *nix and Solaris installations, as well as MacOS and Windows.
Since receiving mine, I have tested it via several available PHP implementations, and other interfaces, e.g. the Wordpress plugin and the LastPass integration. Last night, I found a site which offers an Apache HTTP Server module for use with the usual Basic authentication. Since I wanted to use it on a production server without build tools installed, I first compiled it on a test server, and then copied the necessary files to the production box. The following are the steps I used to build and enable it.
Install the prerequisites (assuming build-essential is already installed)
- $ sudo apt-get install apache2-threaded-dev libcurl3 libcurl4-openssl-dev
Download, unpack and build:
- $ wget http://mod_authn_yubikey.coffeecrew.org/authn_yubikey.tar.bz2
- $ tar jxf authn_yubikey.tar.bz2
- $ cd authn_yubikey/
- $ apxs2 \
- -DYK_PACKAGE=\\\"mod_authn_yubikey\\\" \
- -DYK_PACKAGE_VERSION=\\\"0.1\\\" \
- -I. -Wc -c -lcurl mod_authn_yubikey.c libykclient.c libykclient.slo mod_authn_yubikey.slo
If all has gone according to plan, the module object now exists in the .lib (dot lib) directory. If necessary, scp it to your server and continue.
Note: The following layouts are based on an Ubuntu installation, you may need to put the library where your system expects to find it.
Copy module to required directory:
- sudo cp .lib/mod_authn_yubikey.so /usr/lib/apache2/modules/
Create the basic files to allow the module to be enabled/disabled using the normal Ubuntu functionality:
Module load file (/etc/apache2/mods-available/authn_yubikey.load)
- # /etc/apache2/mods-available/authn_yubikey.load
- LoadFile /usr/lib/libcurl.so.4
- LoadModule authn_yubikey_module /usr/lib/apache2/modules/mod_authn_yubikey.so
Basic module config file:
- # /etc/apache2/mods-available/modules/authn_yubikey.conf
- <IfModule mod_authn_yubikey.c>
- AuthYubiKeyRequireSecure Off
- </IfModule>
Since this module works in a similar manner to the standard Apache Auth packages, create a htpasswd file, adding a user with key id ‘abcdeffedcba’ (first 12 characters emitted by the YubiKey), username ‘jsmith’ and password ‘mypass’. The ‘-s’ uses SHA instead of crypt():
- $ cd /etc/apache2
- $ mkdir conf
- $ cd conf
- $ htpasswd -csb conf/ykUserDb abcdeffedcba jsmith:mypass
- $ touch conf/ykTmpDb && chown www-data conf/ykTmpDb
Now just pick a directory or location to protect, and add a basic config section to the appropriate Apache config file:
- <Location /supersekret>
- AuthType Basic
- AuthBasicProvider yubikey
- AuthName "Please log in using your YubiKey"
- AuthYubiKeyTimeout 30
- AuthYubiKeyTmpFile conf/ykTmpDb
- AuthYubiKeyUserFile conf/ykUserDb
- AuthYubiKeyRequireSecure On
- AuthYubiKeyExternalErrorPage Off
- Require valid-user
- </Location>
Note: The ‘AuthYubiKeyRequireSecure On’ ensures the only SSL (https) connections are allowed. Turn that off to use standard http.
That’s it, now just enable the module and restart Apache:
- $ sudo a2enmod authn_yubikey
- $ sudo /etc/init.d/apache2 restart
For additional information regarding the use and configuration of the module, please check the the mod_authn_yubikey website – http://mod_authn_yubikey.coffeecrew.org/.
Many thanks to Jens Frey, the author of the plugin for his quick response to my request for clarification on a few points.
