SSH two factor auth with Yubikey + SSH key



I got myself a Yubikey a few weeks ago - and I really like what I see. It allows you to use two factor authentication by the way of a one time password (OTP) generated by the YubiKey.

So, I wanted to beef up security on my critical servers by requiring BOTH an SSH key and a OTP generated by the YubiKey.

I spent a lot of time hacking around with using SSH and ForceCommand - but it breaks scp - which I use quite a lot. Today I found the answer. This will only work on EL6.3 (CentOS, Scientific Linux and RHEL 6.3) and is a much bigger improvement in authentication.

To configure:

    Get yourself a YubiKey
    Install and enable the epel repository
    Install the pam_yubico package

Now, we want to add the authentication method to PAM. Edit /etc/pam.d/sshd and make it look like so: #%PAM-1.0 auth required pam_yubico.so id=16 authfile=/etc/yubikey_mappings auth required pam_sepermit.so auth include password-auth account required pam_nologin.so account include password-auth password include password-auth

pam_selinux.so close should be the first session rule

session required pam_selinux.so close session required pam_loginuid.so

pam_selinux.so open should only be followed by sessions to be executed in the user context

session required pam_selinux.so open env_params session optional pam_keyinit.so force revoke session include password-auth

Now we create /etc/yubikey_mappings and list your yubikey users along with their key ID. For example: root:abcdabcdabcd myuser:dcbadcbadcba

Then onto the SSH config. EL6.3 adds a new configuration option. The documentation shows:

RequiredAuthentications[12] Specifies required methods of authentications that has to succeed before authorizing the connec- tion. (RequiredAuthentication1 for Protocol version 1, and RequiredAuthentication2 for v2) RequiredAuthentications1 method[,method...] RequiredAuthentications2 method[,method...] Example 1: RequiredAuthentications2 password,hostbased Example 2: RequiredAuthentications2 publickey,password

As we want to auth using a public key AND a password, we can use the following in /etc/ssh/sshd_config: RequiredAuthentications2 publickey,password

Restart the sshd server using service sshd restart and you should be good to go :)

Oh, and just because it isn't 100% obvious, the login details will now be: Username: <yourusername> Password: <yourpassword><press the YubiKey button>

It goes without saying that you will also need a working SSH key....

EDIT: There is a bug in the Match parsing for RequiredAutentications2. See my report.

Comments


Comments powered by Disqus