Post

Two factor SSH auth with Yubikeys

A while ago I wrote about how to do this exact thing but with an older version of openssh.

If you’re running a newer version of SSH, then the command syntax has been updated somewhat.

Firstly, once you’ve got your yubikey, you’ll need to enable EPEL for EL6/7 and install the pam_yubico package.

You’ll then need to modify the sshd pam file /etc/pam.d/sshd. There are two options here.

1) You require just the OTP; or

2) You want the OTP and a password.

If you want just the OTP, you add this just after the #%PAM-1.0 header:

1
auth       sufficient   pam_yubico.so id=16 authfile=/etc/yubikey_mappings

If you want both password AND OTP, you add this:

1
auth       required     pam_yubico.so id=16 authfile=/etc/yubikey_mappings

Now to create the /etc/yubikey_mappings user to key mapping. The README says:

1
2
3
4
5
6
7
8
9
10
Create a /etc/yubikey_mappings, the file must contain a user name and the
Yubikey token ID separated by colons (same format as the passwd file) for
each user you want to allow onto the system using a Yubikey.

The mappings should look like this, one per line:

------
   first user name:yubikey token ID1:yubikey token ID2:….
   second user name:yubikey token ID3:yubikey token ID4:….
------

Now, if you want to go further and require both a ssh key AND an OTP, you can add the following to /etc/ssh/sshd_config:

1
AuthenticationMethods publickey,password

Now after you supply a valid ssh key you will be asked for your password. If you’ve set this up correctly, this will either be your password + OTP or just OTP.

Enjoy!

Update 21/Jun/2015

One common question I get is how they can allow access without a yubikey while in the office, but force its usage outside of the office. This has a couple of parts - mainly, you’ll probably want to use a public key from inside, but force say a publickey + yubikey outside.

We do this by using a Match block in /etc/ssh/sshd_config as follows:

1
2
3
4
AuthenticationMethods publickey,keyboard-interactive

Match Address 10.1.1.0/24
        AuthenticationMethods publickey

In this method, we set that EVERYONE must use a public key and a keyboard-interactive method to authenticate, then we allow exceptions for small address spaces that we trust. I also recommend making the following changes:

1
2
PasswordAuthentication no
ChallengeResponseAuthentication yes

This disallows skipping the yubikey auth and just using a password. Although, now we’re using PAM as the auth source, you can still use a password via PAM - so we need to disable this in /etc/pam.d/sshd:

1
2
#auth       substack     password-auth
#password   include      password-auth

Hope this helps.

This post is licensed under CC BY 4.0 by the author.