Skip to content

Instantly share code, notes, and snippets.

@e-cite

e-cite/yubikey-ssh-authentication.md

Last active November 11, 2020 19:55
Show Gist options
  • Save e-cite/9312ccea6acfb5fb8bca3efe0e544aa4 to your computer and use it in GitHub Desktop.
Save e-cite/9312ccea6acfb5fb8bca3efe0e544aa4 to your computer and use it in GitHub Desktop.
Download ZIP
Yubikey SSH authentication
Raw
yubikey-ssh-authentication.md

Authenticate to OpenSSH-Server with either public key or with YubiKey OTP + password

When you have access to your private key file, use it for quick login. When you are on the go, use your Yubikey OTP and your password.

Tutorial: https://developers.yubico.com/yubico-pam/YubiKey_and_SSH_via_PAM.html

  1. Install yubico pam module:

    sudo apt-get install libpam-yubico

  2. Create file /etc/yubikey_mappings with the allowed users and their corresponding YubiKey token IDs (first 12 characters of OTP):

    username1:vvabcdefghij
username2:vvabcdefghij

  3. Get a new API-id from https://upgrade.yubico.com/getapikey/ and adjust file /etc/pam.d/sshd to request YubiKey OTP. Paste this line at the very beginning of the file:

    auth required pam_yubico.so id=12345 authfile=/etc/yubikey_mappings

    You can add the debug argument as stated here: https://developers.yubico.com/yubico-pam/Manuals/pam_yubico.8.html

  4. In /etc/ssh/sshd_config set the following configurations:

    PermitRootLogin no
PasswordAuthentication no
ChallengeResponseAuthentication yes
UsePAM yes
    • PermitRootLogin no is set just for security reasons.
    • ChallengeResponseAuthentication yes and UsePAM yes will ask for YubiKey and then for password.
    • One could also set PasswordAuthentication yes and ChallengeResponseAuthentication no, which would take Password+OTP as one single password string, without explicitly asking for YubiKey.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment