First, you'll need to install the package or compile it from source.
Since pam_yubico
only exists in the Fedora/EPEL repository which isn't enabled on Amazon Linux by default, you first have to run:
sudo yum-config-manager --enable epel
Then you can install the package:
sudo yum install pam_yubico
sudo yum install git autoconf automake asciidoc libtool pam-devel libcurl-devel help2man
Then compiling and installing the yubico-c-client:
git clone https://github.com/Yubico/yubico-c-client.git
autoreconf --install
./configure
make check
sudo make install
Then compiling (without offline validation) and installing the yubico-pam module:
git clone https://github.com/Yubico/yubico-pam.git
autoreconf --install
yum install
./configure --without-cr
make check
sudo make install
Move the binary to the lib64
directory:
sudo mv /usr/local/lib/security/pam_yubico.so /lib64/security/
Edit the /etc/pam.d/sshd
file:
# auth substack password-auth
auth sufficient pam_yubico.so id=[your client ID]
You can then edit the /etc/ssh/sshd_config
file:
# ChallengeResponseAuthentication no
ChallengeResponseAuthentication yes
AuthenticationMethods publickey,keyboard-interactive
Edit the ~/.yubico/authorized_yubikeys
file
<user name>:<Yubikey token ID1>:<Yubikey token ID2>
You can find your Yubikey token here: https://developers.yubico.com/yubico-pam/#_obtaining_the_yubikey_token_id_a_k_a_public_id
Then, restart sshd
:
sudo /etc/init.d/sshd restart
You should be prompted to enter your Yubikey token on the next SSH login.
sudo systemctl restart sshd
would work for the last step