Yubikey in authentication in CentOS 8

[rcgrar014]

Good morning.

I am in a project where we want to use a Yubikey like second factor to authenticate the users in CentOS.
We have a closed network (without internet connection) with several CentOS (clients) that authenticate users against a CentOS server with an OpenLDAP. We are using the gnome version.
In that way, We tried to use the OTP mode of yubikeys, but we need access to Internet to send and receive requests from an API.
Later we tried to use the challenge-responde mode, but is only valid for local users (not users located in an openLDAP).
Now, we are trying to use the PIV mode, with a PKI and make the authentication with smartcards, but we can't reach that the VM where we are testing read the Yubikeys obtaining a message that said (This smartcard is not valid, please insert another smartcard).

How can use Yubikeys in our project?

Thanks and regards.

[rcgrar014]

any help??

[TrevorH]

I am not sure why challenge-response would not work for LDAP users. Is that actually documented somewhere?

[rcgrar014]

Hi Trevor.

I followed the instructions of our partnership in my country.

A month aggo tested the mode challenge-response but I don't know if my procedure was correct.
With a OpenLDAP user authenticated in a CentOS client with a password:
- I activated the mode challenge-response.
- A file in $HOME/yubico was created, I changed the name of the file generated with the username (OpenLDAP username).
- I moved it to a different location (/var/yubico).
- And I modified the password-auth file in pam.d to add a line with the attribuites mode challenge-response and chalresp_path with the path where I moved the file (/var/yubico).

With a reboot I tried to login with the openLDAP user and the authentication failed.

But with local users, the mode worked correctly.

Thanks and regards.