Skip to content

Instantly share code, notes, and snippets.

@andreibosco

andreibosco/yubikey-server.md

Last active October 25, 2022 10:09
Show Gist options
  • Star 4 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save andreibosco/9000b67a6d4b8df70acf838327d523d4 to your computer and use it in GitHub Desktop.
Save andreibosco/9000b67a6d4b8df70acf838327d523d4 to your computer and use it in GitHub Desktop.
Download ZIP
Configure linux ssh to use yubikey authentication
Raw
yubikey-server.md

How set up a server for YubiKey authentication

These steps were made for Ubuntu 20.04 LTS and tested with a Yubikey 5 NFC.

Based on:

Steps

  • Register for an API key here, by entering your email address and touching the button on your YubiKey. Keep the Client ID and Secret Key returned by the website.

  • Install required packages:

    sudo add-apt-repository ppa:yubico/stable
sudo apt-get update
sudo apt-get install libpam-yubico

  • Create a mapping file: sudo touch /etc/ssh/authorized_yubikeys

  • Populate this file with the usernames for which you want to enable two-factor authentication and their YubiKey IDs. You can obtain the ID by opening a text editor and touching the button on the YubiKey, and selecting only the first 12 characters. The first line below would be a typical configuration. The subsequent lines show a configuration where users user2, user3, and user4 use multiple YubiKeys and plan to access the server with all of them.

    # example
user1:vvklhtiubdcu
user2:ccurrufnjder:ccturefjtehv:cctbhunjimko

  • Add auth required pam_yubico.so id=<client id> key=<secret key> authfile=/etc/ssh/authorized_yubikeys to the start of /etc/pam.d/sshd. Replace <client id> with the ID you retrieved when applying for an API key, and <secret key> with the secret key. If you only want single-factor authentication (either a YubiKey or a password), change required to sufficient to tell the system that a valid YubiKey will be enough to log in.

    # PAM configuration for the Secure Shell service

# Yubikey authentication
auth required pam_yubico.so id=client id key=secret key authfile=/etc/ssh/authorized_yubikeys

# Standard Un*x authentication.
@include common-auth
...

  • In /etc/ssh/sshd_config, add or edit the following settings:

    ChallengeResponseAuthentication yes
PasswordAuthentication no
UsePAM yes

  • Restart ssh daemon: sudo systemctl restart sshd

@cnic023
Copy link

cnic023 commented Aug 20, 2021

These instructions 'appear' to work i.e. I can login. However, I don't know if the yubikey authentication works. I thought there would be a risk if I adopted the 'required' option first so I selected 'sufficient'. I can ssh in and get a user prompt. After that it asks for the yubikey. On activating that it then asks for my password. I can then login. There is no error message when I activate the yubikey and there is nothing in the auth log to suggest a problem but how do I know if, perhaps, the yubikey authentication failed so I was then asked for my password? There were no other messages on login to give me a clue.
Can I set up a log or perhaps you can suggest a solution (to what may not be a problem!)

@cnic023
Copy link

cnic023 commented Aug 20, 2021

Regarding my comment 1 hour ago about being unable to tell if the yubikey authentication had been successful, I now have a log file but I can only upload a PDF because part have to be changed for obvious security reasons

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment