Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
yubikey OR private key ssh authentication on debian

the grand idea

I like public key auth. I feel safer using them instead of a username and password login. But, I might not have my private key with me at a time where I need access.

I started using yubikey with LastPass and since I have it always on my keychain, I decided to find more ways to make use of it.

I wasn't originally aware, but if you pass a private key to ssh and sshd is configured to accept a key, it appears pam isn't used. Your authorized keys are checked and you are logged in. If you don't pass a private key, ssh falls back to the more standard un*x style login found in /etc/pam.d/sshd. This is where we'll add the yubikey pam. I am currently unaware of a way to use both public key auth and yubikey for login.

These steps worked for me on debian squeeze/wheezy.

more info at the yubico-pam github repo

setup private key login

There is plenty of good documentation out there for this. The gist is create a public/private key pair (hopefully using a passphrase), and storing the public key on the remote server in ~/.ssh/authorized_keys. Then when you ssh to the remote server, pass the private key with ssh -i keyfile_rsa or by configuring ~/.ssh/config to do so automatically.

install libpam-yubico

libpam-yubico is not in the squeeze package repositories so if not using wheezy add wheezy sources to sources.list before installing: deb http://ftp.us.debian.org/debian/ testing main contrib non-free

aptitude update
aptitude install libpam-yubico
[trey|d3v ~]% apti libpam-yubico
The following NEW packages will be installed:
  libpam-yubico libusb-1.0-0{a} libykclient3{a} libykpers-1-1{a} libyubikey0{a}
The following packages will be upgraded:
  libpam0g
1 packages upgraded, 5 newly installed, 0 to remove and 340 not upgraded.
Need to get 307 kB of archives. After unpacking 463 kB will be used.
Do you want to continue? [Y/n/?]

Requirements are mostly contained, low risk pulling from wheezy for these. Reverting should be easy after removing wheezy source.

aptitude update
aptitude remove libpam-yubico libusb-1.0-0 libykclient3 libykpers-1-1 libyubikey0

If using squeeze, downgrade libpam0g by getting the versions using apt-cache show libpam0g or apt-cache policy libpam0g and then install what you want with aptitude install libpam0g=1.1.1-6.1+squeeze1 for example.

setup user yubikeys

retrieve the yubikey token ID (aka public ID) for each yubikey you wish to use by looking at a OTP it ejaculates and remove the last 32 characters.

mkdir ~/.yubico && cd ~/.yubico
vi authorized_yubikeys

add line formatted as such:

#<user name>:<yubikey tokan ID>:<yubikey tokan ID>: ….
seamus:indvnvlcbdre:ldvglinuddek

Just a note, be careful! If this file gets moved or deleted you'll still be prompted for your yubikey, but you will be unable to login with it! It's just as important as having your ~/.ssh/authorized_keys file correctly in place.

update sshd pam settings

add auth required pam_yubico.so id=16 debug to /etc/pam.d/sshd. PAM does things in order, so if you want to be prompted for yubikey before password, put the yubikey line above @include common-auth, otherwise put it just after. I put it after, the flow seems better this way.

update /etc/ssh/sshd_config

# pertinent lines:
PubkeyAuthentication yes             # allows login via private key (no password needed)
PasswordAuthentication yes           # allows login via password if no private key is used
ChallengeResponseAuthentication yes  # challenges user via PAM (yubikey + password) 

restart ssh: /etc/init.d/ssh restart

more info

http://code.google.com/p/yubico-pam/wiki/YubikeyAndSSHViaPAM

example yubikey login

[user|host1 ~]% ssh host2                                   
Password: 
Yubikey for `user': 
Linux host2 2.6.32-5-xen-amd64 #1 SMP Sun Sep 23 13:49:30 UTC 2012 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Mar  6 23:02:45 2013 from 192.168.0.45
[user|host2 ~]% 

example private key login

[user|host1 ~]% ssh host2 -i .ssh/host2_rsa     
Enter passphrase for key '.ssh/host2_rsa': 
Linux host2 2.6.32-5-xen-amd64 #1 SMP Sun Sep 23 13:49:30 UTC 2012 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Mar  6 23:04:45 2013 from 192.168.0.45
[user|host2 ~]% 
@yjeanrenaud

This comment has been minimized.

Copy link

commented Jul 10, 2014

cool and works pretty well. But how can I prevent all users being asked for a yubikey OTP even if they have no authorized_yubikeys file and no private key?

@sebastien-bartoli

This comment has been minimized.

Copy link

commented Jul 17, 2014

I'm also interested in that. What if I want only one or a few users to be prompted for yubikey ( like root or other administrator users ).
As of now, it's asking for every users, even those without yubikey assigned to them. It's annoying and unusable.

@mig5

This comment has been minimized.

Copy link

commented Jul 22, 2014

You should look at running OpenSSH 6.6 from Wheezy backports, which has better support for 2-factor auth.

Then you can put something like this:

AuthenticationMethods publickey,password (require both SSH key and Password+Yubikey, thus 3-factor auth)

And for users who don't have a Yubikey, something like this:

Match Group noyubikeys
        PasswordAuthentication yes (or enforce SSH-key auth only by saying 'no' here)
        AuthenticationMethods publickey

Or, depending on your need, invert this logic so that only a couple of users have AuthenticationMethods publickey,password, and everyone else uses the traditional approach.

@tr3buchet

This comment has been minimized.

Copy link
Owner Author

commented Feb 25, 2015

configuring it directly with OpenSSH sounds awesome. Also @mig5 ssh key and password and yubikey is still only 2 factor auth.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.