For mod_authn_yubikey to work you first need libcurl. You have to install libcurl according to the installation instructions valid for your distribution and/or platform.
On a Debian system you would typically do a simple
aptitude install libcurl3
As a next step you need to download the source from the module here. After extracting the module you need to adopt the Makefile to point to an apache source tree, so the module is able to compile (of course for compiling you might want to have libcurl-dev too).
If you are not installing the module into a custom built apache, you might want to use the apache server already installed on your system. If you are running debian you need to have the apxs tool for building the module. You can get this tool by typing
aptitude install apache-threaded-dev
After you installed that, you can build and install the module with the following command (after changing into the directory you unpacked the module source of course):
apxs2 \ -DYK_PACKAGE=\\\"mod_authn_yubikey\\\" \ -DYK_PACKAGE_VERSION=\\\"0.1\\\" -I. -Wc -c -lcurl \ mod_authn_yubikey.c libykclient.c libykclient.slo mod_authn_yubikey.slo \ && su -c "apxs2 -i mod_authn_yubikey.la"
After your finished installing libcurl and coping/compiling/installing the module, you now can go on configuring mod_authn_yubikey. Every configuration option is explained here. The next section gives just a sample configuration.
A example configuration using mod_authn_yubikey is looking as follows (configured on a mac):
# These are global parameters, libcurl needs to be loaded from # wherever it is installed on your system LoadFile /opt/local/lib/libcurl.dylib LoadModule authn_yubikey_module modules/mod_authn_yubikey.so ErrorDocument 406 http://coffeecrew.org/index.html # This tells apache that you really do not want any security in the # first place and that you will protect your login location or directory # by responsibly setting up an SSL connection to that location. If you # just use OneFactor authentication (just the key, no password) this is # of course unneccessary, since a stolen password (the token output) # cannot be reused. AuthYubiKeyRequireSecure Off # Global configuration end AuthType Basic AuthBasicProvider yubikey AuthName "Please Log In using your YubiKey" AuthYubiKeyTimeout 30 AuthYubiKeyTmpFile conf/ykTmpDb AuthYubiKeyUserFile conf/ykUserDb AuthYubiKeyRequireSecure On AuthYubiKeyExternalErrorPage Off Require valid-user
Now that you have configured the mod_authn_yubikey module, you’ll probably want to use it. For this to happen, you have to add the tokenId/user mapping into the file configured with AuthYubiKeyUserFile which defaults to conf/ykUserDb if not specified otherwise.
To add the user jensfrey with the password test123 and the token id abcdefghijkl you would do:
htpasswd -csb conf/ykUserDb abcdefghijkl jensfrey:test123
Remember to put the -s option into the command, since UNIX platforms use crypt() by default. This switch forces SHA encryption of the password (you can also use -m which is for MD5 encryption). [Thanks to Fredrik Soderblom for pointing that out]. Which lets the user jensfrey access the site when he:
1. Enters his username (jensfrey) in the username field.
2. Enters his password (test123) in the password field.
3. And the presses the button on the YubiKey (while having the cursor still set on the password field)