SSH two factor auth with Yubikey + SSH key

I got myself a Yubikey a few weeks ago - and I really like what I see. It allows you to use two factor authentication by the way of a one time password (OTP) generated by the YubiKey. So, I wanted to beef up security on my critical servers by requiring BOTH an SSH key and a OTP generated by the YubiKey. I spent a lot of time hacking around with using SSH and ForceCommand - but it breaks scp - which I use quite a lot. Today I found the answer. This will only work on EL6.3 (CentOS, Scientific Linux and RHEL 6.3) and is a much bigger improvement in authentication. To configure:

    Get yourself a YubiKey
    Install and enable the epel repository
    Install the pam_yubico package
Now, we want to add the authentication method to PAM. Edit /etc/pam.d/sshd and make it look like so: #%PAM-1.0 auth required id=16 authfile=/etc/yubikey_mappings auth required auth include password-auth account required account include password-auth password include password-auth # close should be the first session rule session required close session required # open should only be followed by sessions to be executed in the user context session required open env_params session optional force revoke session include password-auth Now we create /etc/yubikey_mappings and list your yubikey users along with their key ID. For example: root:abcdabcdabcd myuser:dcbadcbadcba Then onto the SSH config. EL6.3 adds a new configuration option. The documentation shows:
RequiredAuthentications[12] Specifies required methods of authentications that has to succeed before authorizing the connec- tion. (RequiredAuthentication1 for Protocol version 1, and RequiredAuthentication2 for v2) RequiredAuthentications1 method[,method...] RequiredAuthentications2 method[,method...] Example 1: RequiredAuthentications2 password,hostbased Example 2: RequiredAuthentications2 publickey,password
As we want to auth using a public key AND a password, we can use the following in /etc/ssh/sshd_config: RequiredAuthentications2 publickey,password Restart the sshd server using service sshd restart and you should be good to go :) Oh, and just because it isn't 100% obvious, the login details will now be: Username: <yourusername> Password: <yourpassword><press the YubiKey button> It goes without saying that you will also need a working SSH key.... EDIT: There is a bug in the Match parsing for RequiredAutentications2. See my report.


Comments powered by Disqus