I got myself a Yubikey a few weeks ago – and I really like what I see. It allows you to use two factor authentication by the way of a one time password (OTP) generated by the YubiKey.
So, I wanted to beef up security on my critical servers by requiring BOTH an SSH key and a OTP generated by the YubiKey.
I spent a lot of time hacking around with using SSH and ForceCommand – but it breaks scp – which I use quite a lot. Today I found the answer. This will only work on EL6.3 (CentOS, Scientific Linux and RHEL 6.3) and is a much bigger improvement in authentication.
- Install and enable the epel repository
- Install the pam_yubico package
Now, we want to add the authentication method to PAM. Edit /etc/pam.d/sshd and make it look like so:
auth required pam_yubico.so id=16 authfile=/etc/yubikey_mappings
auth required pam_sepermit.so
auth include password-auth
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session optional pam_keyinit.so force revoke
session include password-auth
Now we create /etc/yubikey_mappings and list your yubikey users along with their key ID. For example:
Then onto the SSH config. EL6.3 adds a new configuration option. The documentation shows:
Specifies required methods of authentications that has to succeed before authorizing the connec-
tion. (RequiredAuthentication1 for Protocol version 1, and RequiredAuthentication2 for v2)
As we want to auth using a public key AND a password, we can use the following in /etc/ssh/sshd_config:
Restart the sshd server using service sshd restart and you should be good to go 🙂
Oh, and just because it isn’t 100% obvious, the login details will now be:
Password: <yourpassword><press the YubiKey button>
It goes without saying that you will also need a working SSH key….
EDIT: There is a bug in the Match parsing for RequiredAutentications2. See my report.