Home Configuration Directives

Support me and buy your Yubikey via this link:


 

Want to donate?

 

Want more YubiKey use? try Clavid.com which is a swiss OpenID provider

 

Helpful Links:

Apache HTTPD project

APR project

Apache HTTPD API documentation

Yubico

 

Authored by Jens Frey

 

Recent News:

 

31.08.2008:

WebSite officially launched

 

Supported Browsers:

Firefox 0.9+

Microsoft IE 5.0+

Mozilla 1.0+

Netscape 6.0+

Opera 7.0+

Safari 1.0+

Prerequisites

For mod_authn_yubikey to work you first need libcurl. You have to install libcurl according to the installation instructions valid for your distribution and/or platform.

 

On a Debian system you would typically do a simple aptitude install libcurl3.

 

As a next step you need to download the source from the module here. After extracting the module you need to adopt the Makefile to point to an apache source tree, so the module is able to compile (of course for compiling you might want to have libcurl-dev too).

If you are not installing the module into a custom built apache, you might want to use the apache server already installed on your system. If you are running debian you need to have the apxs tool for building the module. You can get this tool by typing aptitude install apache-threaded-dev.

After you installed that, you can build and install the module with the following command (after changing into the directory you unpacked the module source of course): 

apxs2 \
-DYK_PACKAGE=\\\"mod_authn_yubikey\\\" \ 
-DYK_PACKAGE_VERSION=\\\"0.1\\\" -I. -Wc -c -lcurl \ 
mod_authn_yubikey.c libykclient.c libykclient.slo mod_authn_yubikey.slo \
&& su -c "apxs2 -i mod_authn_yubikey.la"

 

After your finished installing libcurl and coping/compiling/installing the module, you now can go on configuring mod_authn_yubikey. Every configuration option is explained here. The next section gives just a sample configuration.

Example configuration

A example configuration using mod_authn_yubikey is looking as follows (configured on a mac):


# These are global parameters, libcurl needs to be loaded from 
# wherever it is installed on your system

LoadFile /opt/local/lib/libcurl.dylib
LoadModule authn_yubikey_module modules/mod_authn_yubikey.so
ErrorDocument 406 http://coffeecrew.org/index.html

# This tells apache that you really do not want any security in the
# first place and that you will protect your login location or directory
# by responsibly setting up an SSL connection to that location. If you
# just use OneFactor authentication (just the key, no password) this is
# of course unneccessary, since a stolen password (the token output)
# cannot be reused.

AuthYubiKeyRequireSecure Off

# Global configuration end 

<Location /cgi-bin>
AuthType Basic
AuthBasicProvider yubikey
AuthName "Please Log In using your YubiKey"
AuthYubiKeyTimeout 30
AuthYubiKeyTmpFile conf/ykTmpDb
AuthYubiKeyUserFile conf/ykUserDb
AuthYubiKeyRequireSecure On
AuthYubiKeyExternalErrorPage Off
Require valid-user
</Location>

 

Now that you have configured the mod_authn_yubikey module, you'll probably want to use it. For this to happen, you have to add the tokenId/user mapping into the file configured with AuthYubiKeyUserFile which defaults to conf/ykUserDb if not specified otherwise.

 

To add the user jensfrey with the password test123 and the token id abcdefghijkl you would do: 

  $> htpasswd -cb conf/ykUserDb abcdefghijkl jensfrey:test123
Which lets the user jensfrey access the site when he:
  1. Enters his username (jensfrey) in the username field.
  2. Enters his password (test123) in the password field.
  3. And the presses the button on the YubiKey (while having the cursor still set on the password field)