Post

SSH two factor auth with Yubikey + SSH key

Posted
By Steven Haigh
2 min read

I got myself a Yubikey a few weeks ago - and I really like what I see. It allows you to use two factor authentication by the way of a one time password (OTP) generated by the YubiKey.

So, I wanted to beef up security on my critical servers by requiring BOTH an SSH key and a OTP generated by the YubiKey.

I spent a lot of time hacking around with using SSH and ForceCommand - but it breaks scp - which I use quite a lot. Today I found the answer. This will only work on EL6.3 (CentOS, Scientific Linux and RHEL 6.3) and is a much bigger improvement in authentication.

To configure:

Now, we want to add the authentication method to PAM. Edit /etc/pam.d/sshd and make it look like so:

1
2
3
4
5
6
7
8
9
10
11
12
13
14

#%PAM-1.0
auth       required     pam_yubico.so id=16 authfile=/etc/yubikey_mappings
auth       required     pam_sepermit.so
auth       include      password-auth
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    optional     pam_keyinit.so force revoke
session    include      password-auth

Now we create /etc/yubikey_mappings and list your yubikey users along with their key ID. For example:

1
2

root:abcdabcdabcd
myuser:dcbadcbadcba

Then onto the SSH config. EL6.3 adds a new configuration option. The documentation shows:

1
2
3
4
5
6
7
8
9
10
11
12
13
14

 RequiredAuthentications[12]
         Specifies required methods of authentications that has to succeed before authorizing the connec-
         tion.  (RequiredAuthentication1 for Protocol version 1, and RequiredAuthentication2 for v2)

             RequiredAuthentications1 method[,method...]
             RequiredAuthentications2 method[,method...]

         Example 1:

             RequiredAuthentications2 password,hostbased

         Example 2:

             RequiredAuthentications2 publickey,password

As we want to auth using a public key AND a password, we can use the following in /etc/ssh/sshd_config: RequiredAuthentications2 publickey,password

Restart the sshd server using service sshd restart and you should be good to go :)

Oh, and just because it isn’t 100% obvious, the login details will now be: Username: <yourusername> Password: <yourpassword><press the YubiKey button>

It goes without saying that you will also need a working SSH key….

EDIT: There is a bug in the Match parsing for RequiredAutentications2. See my report.

Linux Security
This post is licensed under CC BY 4.0 by the author.

Comments powered by Disqus.