The Adventures of Fuhry and his Yubikey
If you’ve been following Enano lately you will know about our worst-kept secret of 2009 so far, the Yubikey plugin. Part of developing this plugin was, of course, purchasing and welcoming into my life my very own Yubikey. I was pretty excited when it came in the mail and deploying it was actually one of the easiest things I’ve ever done.
Basically there’s a PAM module that provides support for Yubikey as a login device just about anywhere you can be prompted for a password on a UNIX or Linux system. The version in Google Code has a number of annoying debug messages which I had to remove when I built the plugin. They show even when the “debug” flag is omitted so I presume this is just the result of sloppy development procedure. Aside from the uncomfortable thoughts I’m having of sloppy development on a PAM module, it works beautifully. So beautifully, in fact, that I’ve deployed it across all my servers, and deauthorized my SSH key from root on bigmomma and ktulu so that the only thing that can get you on to either is my Yubikey (with the exception of ktulu, which has an emergency root password somewhere in my encrypted storage – sshhhhh, it’s a secret). It’s much easier to just press my Yubikey instead of typing out one of my Insane Passwords™ so it’s also motivated me to use stronger passwords than what I have now (which are strong with one exception somewhere I think).
Developing for this thing was great except for one thing: signatures. OK, so I wasn’t using a standards-compliant implementation of HMAC; that got fixed. But I also failed to account for carriage returns (0x0D or “\r”) in the regular expression I used to parse their response. (And of course my test server didn’t send them.) That caused the first couple commits to my plugin to not work right with Yubico’s official API. The cool thing about the Enano plugin was that 80% of the functionality the Yubico verification routine needed was already there in hmac.php and http.php. Yeap, you heard it right: most of the Yubikey PHP library is the HTTP client. And the official one (which is used in most integration plugins) can’t even sign requests or verify signatures because it lacks HMAC support. Anyways, eventually I got it all working and it properly logged me into my test site.
Then I had to make a screencast about it, but that’s another story for another day. Hey, I supposedly get 5 free Yubikeys out of it, so why not, right?