-
Notifications
You must be signed in to change notification settings - Fork 2
/
install-yubikey-pam-ubuntu.sh
178 lines (143 loc) · 5.78 KB
/
install-yubikey-pam-ubuntu.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
#!/bin/bash
#
# This script will automate the process of installing the Yubikey PAM library
# and configure your server to use it for authentication.
#
# Rickard Andersson <[email protected]>
#
if [ ! `whoami` == "root" ]; then
echo "Please run this script as root, either log on as root or run 'sudo $0'"
exit 1
fi
LIBYUBIKEY="libyubikey-1.10"
YKPERS="ykpers-1.12.0"
YKCLIENT="ykclient-2.9"
PAM_YUBICO="pam_yubico-2.13"
clear
echo ""
echo "This script will do the following on your system: "
echo "1. Install some packages needed for the installation."
echo "2. Download libyubikey, ykpers, ykclient and pam_yubico from Google Code."
echo "3. Configure, compile and install the packages."
echo "4. Add Yubikey authentication configuration to PAM."
echo "5. Ask you if you want to enable Yubikey authentication."
echo "6. Prompt you for a Yubikey OTP and link the root account."
echo ""
echo "If you're not fine with this script performing these actions,"
echo "please press CTRL+C now to abort the installation. Otherwise press ENTER,"
echo "go find your Yubikey and we'll continue this installation together."
read continue
clear
echo "You'll have to get an API key to be able to use the Yubico authentication "
echo "service. Please visit https://upgrade.yubico.com/getapikey/ and use your "
echo "Yubikey to get a API key. You need to have one before installation can begin."
echo ""
echo -n "Please enter your Client ID obtained from the API key request site: "
read client_id
clear
echo "(1/26) ==> Installing missing ubuntu packages (if any) ... "
apt-get install -qq -y build-essential libusb-dev libcurl4-gnutls-dev libpam-dev curl > /dev/null
cd /usr/src
if [ ! -f $LIBYUBIKEY.tar.gz ]; then
echo "(2/26) ==> Downloading $LIBYUBIKEY from googlecode.com ..."
curl -s -o $LIBYUBIKEY.tar.gz http://yubico-c.googlecode.com/files/$LIBYUBIKEY.tar.gz
fi
if [ ! -d $LIBYUBIKEY ]; then
echo "(3/26) ==> Extracting archive ..."
tar zxf $LIBYUBIKEY.tar.gz
fi
cd $LIBYUBIKEY
echo "(4/26) ==> Configuring package ..."
./configure > /dev/null
echo "(5/26) ==> Compiling and installing ..."
make all install > /dev/null
cd ..
echo "(6/26) ==> Cleaning up ..."
rm -rf $LIBYUBIKEY $LIBYUBIKEY.tar.gz
if [ ! -f $YKPERS.tar.gz ]; then
echo "(7/26) ==> Downloading $YKPERS from googlecode.com ..."
curl -s -o $YKPERS.tar.gz http://yubikey-personalization.googlecode.com/files/$YKPERS.tar.gz
fi
if [ ! -d $YKPERS ]; then
echo "(8/26) ==> Extracting archive ..."
tar zxf $YKPERS.tar.gz
fi
cd $YKPERS
echo "(9/26) ==> Configuring package ..."
./configure > /dev/null
echo "(10/26) ==> Compiling and installing ..."
make all install > /dev/null
cd ..
echo "(11/26) ==> Cleaning up ..."
rm -rf $YKPERS $YKPERS.tar.gz
if [ ! -f $YKCLIENT.tar.gz ]; then
echo "(12/26) ==> Downloading $YKCLIENT from googlecode.com ..."
curl -s -o $YKCLIENT.tar.gz http://yubico-c-client.googlecode.com/files/$YKCLIENT.tar.gz
fi
if [ ! -d $YKCLIENT ]; then
echo "(13/26) ==> Extracing archive ..."
tar zxf $YKCLIENT.tar.gz
fi
cd $YKCLIENT
echo "(14/26) ==> Configuring package ..."
./configure > /dev/null
echo "(15/26) ==> Compiling and installing ..."
make all install > /dev/null
cd ..
echo "(16/26) ==> Cleaning up ..."
rm -rf $YKCLIENT $YKCLIENT.tar.gz
if [ ! -f $PAM_YUBICO.tar.gz ]; then
echo "(17/26) ==> Downloading $PAM_YUBICO from googlecode.com ..."
curl -s -o $PAM_YUBICO.tar.gz http://yubico-pam.googlecode.com/files/$PAM_YUBICO.tar.gz
fi
if [ ! -d $PAM_YUBICO ]; then
echo "(18/26) ==> Extracting archive ..."
tar zxf $PAM_YUBICO.tar.gz
fi
cd $PAM_YUBICO
echo "(19/26) ==> Configuring package ..."
./configure > /dev/null
echo "(20/26) ==> Compiling and installing ..."
make all install > /dev/null
cd ..
echo "(21/26) ==> Cleaning up ..."
rm -rf $PAM_YUBICO $PAM_YUBICO.tar.gz
echo "(22/26) ==> Linking pam modules ..."
ln -s /usr/local/lib/security/pam_yubico.la /lib/security/pam_yubico.la
ln -s /usr/local/lib/security/pam_yubico.so /lib/security/pam_yubico.so
echo "(23/26) ==> Generating config ..."
echo "Name: Yubikey authentication
Default: yes
Priority: 512
Auth-Type: Primary
Auth:
requisite pam_yubico.so id=$client_id authfile=/etc/yubikey" >> /usr/share/pam-configs/yubikey
echo "(24/26) ==> Running pam-auth-update ..."
pam-auth-update
echo -n "(25/26) ==> Please press your Yubikey to generate a OTP: "
read YUBICODE
echo "(26/26) ==> Configuring root account with your Yubikey ..."
echo "root:"`echo $YUBICODE | cut -c 1-12` > /etc/yubikey
echo ""
echo "Done!"
echo "If you choose to enable Yubikey authentication in pam-auth-update, you can"
echo "now try to sign in using your Yubikey by running the command 'login'."
echo "It's highly recommended that you try this out before you sign out, since "
echo "a misconfiguration can lead to you not being able to access your server."
echo ""
echo "If you want to sign in to your account with SSH you need to first enter "
echo "your regular password and then, without pressing enter, push the button "
echo "on your yubikey to generate an OTP. This will send your regular password "
echo "and the OTP as one password to SSH. But when signing in locally you'll "
echo "still be prompted for both the password and OTP separately."
echo ""
echo "Please note that the root account is the only account which has a Yubikey "
echo "enabled. To add more users just edit /etc/yubikey with more users and their"
echo "IDs. You really have to do this if your server doesn't permit remote logins"
echo "with the root account, so be sure to configure your regular account with"
echo "Yubkey as well, _before_ you close this session. If you run in to some kind"
echo "of trouble and want to disable authentication by yubikey, just run"
echo "'pam-auth-update' again and deselect yubikey authentication."
echo ""
echo "NOTE: The Yubikey ID is the first 12 characters of any OTP generated "
echo "by the Yubikey device."