Yubikey Configuration with PVE

J

Jason Murray

New Member
Jan 2, 2015
7
0
1
Victoria, British Columbia, Canada
Hello,

I am attempting to configure our new yubikey's for use with our PVE servers. I have followed the directions in the HOWTO but cannot find the 'Yubico' URL. I have tried with two different keys and several different API keys from https://upgrade.yubico.com/getapikey/ with no success. Obviously I am missing something simple, but I can't seem to figure it out, especially being new to TFA and Proxmox.

Any suggestions?

Thank you in advance for your help,
Jason
 
Thanks for the reply!

Following the steps at http://pve.proxmox.com/wiki/Two-Factor_Authentication for both PVE and PAM have been unsuccessful. I am using the Client ID from Yubico as the API ID and the Yubico Secret Key as the API Key.

I have tried using the Yubico API URL and leaving the URL empty.

I have been using the first 12 characters (the static part of the OTP) from the key as the users Key ID.

I have set this up before using OATH-TOTP for Google Authenticator and it worked quite well, but it seems the Yubikey configuration is a little more difficult...

I still am getting the same 'Login Failed' message when I attempt to use our Yubikeys for authentication.

Does anyone

Thanks,
Jason
 
Last edited:
Hello,

I got the same problem here. I filled in the API secret key and client id in to the pve realm and configured the user with the 12 Characters from Key ID of the Yubiekey.
If I try to login it fails. In the syslog Messages I can see an error like authentication failure; rhost=xxx.xxx.xxx.xxx user=user@pve msg=Invalid response from server: 403 Forbidden.
Seems that the Yubico API Server does not want to authorize the user. Does anybody have an idea why?

Thank you in advance for your time,
Stefan
 
Just a general thought: you might wish to consider twice, whether you want your ability to log into PVE to be dependant on the availability of the yubico service!

Imo it is a MUCH better idea to use the static password mode and have a short password (like 4-8chars) that you memorize yourself and 30something characters saved on the yubikey so that you first enter your memorized part and afterwards press the yubikey button. This is so that the yubikey alone WONT give you access (which btw. it would if you were to use its cloud mode).

I highly recommend not making yourself dependant on cloud services EVER. There simply is no such thing as 100% availability and Murpy tells us that the service WILL be offline when you need to log into your PVE urgently. This doesnt even mention the fact that any 3rd party auth provider obtains information about which IP addresses use their service (which is an "information leak" class security issue!) - unless of course you run your own auth server.
 
I agree entirely. I have configured slot 2 of our Yubikey Neo's to have a static password that we type our own 'salt' then hold the button to get the rest of the password. However, for simplicity's sake we wanted to use the slot 1 HOTP for accessing the servers assuming the service was online. It meant adding an extra user, which could potentially be used as an attack vector, and we were never able to get the HOTP working in PVE, so we ended up just going with a single user configured for each admin and using the static password + 'salt' only.

Being 100% dependent on anyone else's services is a recipe for disaster :)
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back