yubikey OR private key ssh authentication on debian

gistfile1.md

the grand idea

I like public key auth. I feel safer using them instead of a username and password login. But, I might not have my private key with me at a time where I need access.

I started using yubikey with LastPass and since I have it always on my keychain, I decided to find more ways to make use of it.

I wasn't originally aware, but if you pass a private key to ssh and sshd is configured to accept a key, it appears pam isn't used. Your authorized keys are checked and you are logged in. If you don't pass a private key, ssh falls back to the more standard un*x style login found in /etc/pam.d/sshd. This is where we'll add the yubikey pam. I am currently unaware of a way to use both public key auth and yubikey for login.

These steps worked for me on debian squeeze/wheezy.

more info at the yubico-pam github repo

setup private key login

There is plenty of good documentation out there for this. The gist is create a public/private key pair (hopefully using a passphrase), and storing the public key on the remote server in ~/.ssh/authorized_keys. Then when you ssh to the remote server, pass the private key with ssh -i keyfile_rsa or by configuring ~/.ssh/config to do so automatically.

install libpam-yubico

libpam-yubico is not in the squeeze package repositories so if not using wheezy add wheezy sources to sources.list before installing: deb http://ftp.us.debian.org/debian/ testing main contrib non-free

aptitude update
aptitude install libpam-yubico
[trey|d3v ~]% apti libpam-yubico
The following NEW packages will be installed:
  libpam-yubico libusb-1.0-0{a} libykclient3{a} libykpers-1-1{a} libyubikey0{a}
The following packages will be upgraded:
  libpam0g
1 packages upgraded, 5 newly installed, 0 to remove and 340 not upgraded.
Need to get 307 kB of archives. After unpacking 463 kB will be used.
Do you want to continue? [Y/n/?]

Requirements are mostly contained, low risk pulling from wheezy for these. Reverting should be easy after removing wheezy source.

aptitude update
aptitude remove libpam-yubico libusb-1.0-0 libykclient3 libykpers-1-1 libyubikey0

If using squeeze, downgrade libpam0g by getting the versions using apt-cache show libpam0g or apt-cache policy libpam0g and then install what you want with aptitude install libpam0g=1.1.1-6.1+squeeze1 for example.

setup user yubikeys

retrieve the yubikey token ID (aka public ID) for each yubikey you wish to use by looking at a OTP it ejaculates and remove the last 32 characters.

mkdir ~/.yubico && cd ~/.yubico
vi authorized_yubikeys

add line formatted as such:

#<user name>:<yubikey tokan ID>:<yubikey tokan ID>: ….
seamus:indvnvlcbdre:ldvglinuddek

Just a note, be careful! If this file gets moved or deleted you'll still be prompted for your yubikey, but you will be unable to login with it! It's just as important as having your ~/.ssh/authorized_keys file correctly in place.

update sshd pam settings

add auth required pam_yubico.so id=16 debug to /etc/pam.d/sshd. PAM does things in order, so if you want to be prompted for yubikey before password, put the yubikey line above @include common-auth, otherwise put it just after. I put it after, the flow seems better this way.

update /etc/ssh/sshd_config

# pertinent lines:
PubkeyAuthentication yes             # allows login via private key (no password needed)
PasswordAuthentication yes           # allows login via password if no private key is used
ChallengeResponseAuthentication yes  # challenges user via PAM (yubikey + password) 

restart ssh: /etc/init.d/ssh restart

more info

http://code.google.com/p/yubico-pam/wiki/YubikeyAndSSHViaPAM

gistfile2.md

example yubikey login

[user|host1 ~]% ssh host2                                   
Password: 
Yubikey for `user': 
Linux host2 2.6.32-5-xen-amd64 #1 SMP Sun Sep 23 13:49:30 UTC 2012 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Mar  6 23:02:45 2013 from 192.168.0.45
[user|host2 ~]% 

example private key login

[user|host1 ~]% ssh host2 -i .ssh/host2_rsa     
Enter passphrase for key '.ssh/host2_rsa': 
Linux host2 2.6.32-5-xen-amd64 #1 SMP Sun Sep 23 13:49:30 UTC 2012 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Mar  6 23:04:45 2013 from 192.168.0.45
[user|host2 ~]% 

I'm also interested in that. What if I want only one or a few users to be prompted for yubikey ( like root or other administrator users ).
As of now, it's asking for every users, even those without yubikey assigned to them. It's annoying and unusable.

You should look at running OpenSSH 6.6 from Wheezy backports, which has better support for 2-factor auth.

Then you can put something like this:

AuthenticationMethods publickey,password (require both SSH key and Password+Yubikey, thus 3-factor auth)

And for users who don't have a Yubikey, something like this:

Match Group noyubikeys
        PasswordAuthentication yes (or enforce SSH-key auth only by saying 'no' here)
        AuthenticationMethods publickey

Or, depending on your need, invert this logic so that only a couple of users have AuthenticationMethods publickey,password, and everyone else uses the traditional approach.

configuring it directly with OpenSSH sounds awesome. Also @mig5 ssh key and password and yubikey is still only 2 factor auth.