In an era where getting your credentials stolen has become child’s play with spyware and keyloggers, it might be best to start using two-factor authentication. For a lot of companies out there, this means adding a second factor on top of an AD/LDAP infrastructure.
It’s actually easier than you think, and it won’t cost you an arm and leg. I will soon write a tutorial on how I achieved this.
The core service you will need is a validation server for YubiKeys. Whether you’re using LDAP or a Samba 4 instance to authenticate your users, it will all still come down to validating the OTP strings your users will be sending. If you search for the Yubico validation server, you’ll find yourself using old/deprecated/broken versions of the tool, depending on your distro (but even on recent ones).
I stumbled upon Raphaël Barrois’ version, hosted on Github, which was almost exactly what I needed (thanks, honestly!). Then again, I had to add some bells and whistles:
- Support for PostgreSQL
- Auditing capabilities on OTP tokens
- A working example of an init.d script for this baby
And bam, there it is: https://github.com/gradew/yubiserve. Feel free to use it! :)