SSH two factor auth with Yubikey + SSH key

I got myself a Yubikey a few weeks ago - and I really like what I see. It allows you to use two factor authentication by the way of a one time password (OTP) generated by the YubiKey.

So, I wanted to beef up security on my critical servers by requiring BOTH an SSH key and a OTP generated by the YubiKey.

I spent a lot of time hacking around with using SSH and ForceCommand - but it breaks scp - which I use quite a lot. Today I found the answer. This will only work on EL6.3 (CentOS, Scientific Linux and RHEL 6.3) and is a much bigger improvement in authentication.

To configure:

    Get yourself a YubiKey
    Install and enable the epel repository
    Install the pam_yubico package

Now, we want to add the authentication method to PAM. Edit /etc/pam.d/sshd and make it look like so: #%PAM-1.0 auth required id=16 authfile=/etc/yubikey_mappings auth required auth include password-auth account required account include password-auth password include password-auth close should be the first session rule

session required close session required open should only be followed by sessions to be executed in the user context

session required open env_params session optional force revoke session include password-auth

Now we create /etc/yubikey_mappings and list your yubikey users along with their key ID. For example: root:abcdabcdabcd myuser:dcbadcbadcba

Then onto the SSH config. EL6.3 adds a new configuration option. The documentation shows:

RequiredAuthentications[12] Specifies required methods of authentications that has to succeed before authorizing the connec- tion. (RequiredAuthentication1 for Protocol version 1, and RequiredAuthentication2 for v2) RequiredAuthentications1 method[,method...] RequiredAuthentications2 method[,method...] Example 1: RequiredAuthentications2 password,hostbased Example 2: RequiredAuthentications2 publickey,password

As we want to auth using a public key AND a password, we can use the following in /etc/ssh/sshd_config: RequiredAuthentications2 publickey,password

Restart the sshd server using service sshd restart and you should be good to go :)

Oh, and just because it isn't 100% obvious, the login details will now be: Username: <yourusername> Password: <yourpassword><press the YubiKey button>

It goes without saying that you will also need a working SSH key....

EDIT: There is a bug in the Match parsing for RequiredAutentications2. See my report.


Comments powered by Disqus