SSH two factor auth with Yubikey + SSH key

I got myself a Yubikey a few weeks ago – and I really like what I see. It allows you to use two factor authentication by the way of a one time password (OTP) generated by the YubiKey.

So, I wanted to beef up security on my critical servers by requiring BOTH an SSH key and a OTP generated by the YubiKey.

I spent a lot of time hacking around with using SSH and ForceCommand – but it breaks scp – which I use quite a lot. Today I found the answer. This will only work on EL6.3 (CentOS, Scientific Linux and RHEL 6.3) and is a much bigger improvement in authentication.

To configure:

    Get yourself a YubiKey
    Install and enable the epel repository
    Install the pam_yubico package

Now, we want to add the authentication method to PAM. Edit /etc/pam.d/sshd and make it look like so:
auth required id=16 authfile=/etc/yubikey_mappings
auth required
auth include password-auth
account required
account include password-auth
password include password-auth
# close should be the first session rule
session required close
session required
# open should only be followed by sessions to be executed in the user context
session required open env_params
session optional force revoke
session include password-auth

Now we create /etc/yubikey_mappings and list your yubikey users along with their key ID. For example:

Then onto the SSH config. EL6.3 adds a new configuration option. The documentation shows:

Specifies required methods of authentications that has to succeed before authorizing the connec-
tion. (RequiredAuthentication1 for Protocol version 1, and RequiredAuthentication2 for v2)

RequiredAuthentications1 method[,method…]
RequiredAuthentications2 method[,method…]

Example 1:

RequiredAuthentications2 password,hostbased

Example 2:

RequiredAuthentications2 publickey,password

As we want to auth using a public key AND a password, we can use the following in /etc/ssh/sshd_config:
RequiredAuthentications2 publickey,password

Restart the sshd server using service sshd restart and you should be good to go 🙂

Oh, and just because it isn’t 100% obvious, the login details will now be:
Username: <yourusername>
Password: <yourpassword><press the YubiKey button>

It goes without saying that you will also need a working SSH key….

EDIT: There is a bug in the Match parsing for RequiredAutentications2. See my report.

1 ping

  1. […] while ago I wrote about how to do this exact thing but with an older version of […]

Leave a Reply

Your email address will not be published.