I like public key auth. I feel safer using them instead of a username and password login. But, I might not have my private key with me at a time where I need access.
I started using yubikey with LastPass and since I have it always on my keychain, I decided to find more ways to make use of it.
I wasn't originally aware, but if you pass a private key to ssh and sshd is configured to accept a key, it appears pam isn't used. Your authorized keys are checked and you are logged in. If you don't pass a private key, ssh falls back to the more standard un*x style login found in /etc/pam.d/sshd. This is where we'll add the yubikey pam. I am currently unaware of a way to use both public key auth and yubikey for login.
These steps worked for me on debian squeeze/wheezy.
more info at the yubico-pam github repo
There is plenty of good documentation out there for this. The gist is create a public/private key pair (hopefully using a passphrase), and storing the public key on the remote server in ~/.ssh/authorized_keys. Then when you ssh to the remote server, pass the private key with ssh -i keyfile_rsa or by configuring ~/.ssh/config to do so automatically.
libpam-yubico is not in the squeeze package repositories so if not using wheezy add wheezy sources to sources.list before installing: deb http://ftp.us.debian.org/debian/ testing main contrib non-free
aptitude update
aptitude install libpam-yubico
[trey|d3v ~]% apti libpam-yubico
The following NEW packages will be installed:
libpam-yubico libusb-1.0-0{a} libykclient3{a} libykpers-1-1{a} libyubikey0{a}
The following packages will be upgraded:
libpam0g
1 packages upgraded, 5 newly installed, 0 to remove and 340 not upgraded.
Need to get 307 kB of archives. After unpacking 463 kB will be used.
Do you want to continue? [Y/n/?]
Requirements are mostly contained, low risk pulling from wheezy for these. Reverting should be easy after removing wheezy source.
aptitude update
aptitude remove libpam-yubico libusb-1.0-0 libykclient3 libykpers-1-1 libyubikey0
If using squeeze, downgrade libpam0g by getting the versions using apt-cache show libpam0g or apt-cache policy libpam0g and then install what you want with aptitude install libpam0g=1.1.1-6.1+squeeze1 for example.
retrieve the yubikey token ID (aka public ID) for each yubikey you wish to use by looking at a OTP it ejaculates and remove the last 32 characters.
mkdir ~/.yubico && cd ~/.yubico
vi authorized_yubikeys
add line formatted as such:
#<user name>:<yubikey tokan ID>:<yubikey tokan ID>: ….
seamus:indvnvlcbdre:ldvglinuddek
Just a note, be careful! If this file gets moved or deleted you'll still be prompted for your yubikey, but you will be unable to login with it! It's just as important as having your ~/.ssh/authorized_keys file correctly in place.
add auth required pam_yubico.so id=16 debug to /etc/pam.d/sshd. PAM does things in order, so if you want to be prompted for yubikey before password, put the yubikey line above @include common-auth, otherwise put it just after. I put it after, the flow seems better this way.
# pertinent lines:
PubkeyAuthentication yes # allows login via private key (no password needed)
PasswordAuthentication yes # allows login via password if no private key is used
ChallengeResponseAuthentication yes # challenges user via PAM (yubikey + password)
restart ssh:
/etc/init.d/ssh restart
http://code.google.com/p/yubico-pam/wiki/YubikeyAndSSHViaPAM