andreibosco/yubikey-server.md

Last active October 25, 2022 10:09

Star (4) You must be signed in to star a gist
Fork (0) You must be signed in to fork a gist

Select an option

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/andreibosco/9000b67a6d4b8df70acf838327d523d4.js"></script>
Save andreibosco/9000b67a6d4b8df70acf838327d523d4 to your computer and use it in GitHub Desktop.

Download ZIP

Configure linux ssh to use yubikey authentication

Raw

yubikey-server.md

How set up a server for YubiKey authentication

These steps were made for Ubuntu 20.04 LTS and tested with a Yubikey 5 NFC.

Based on:

Steps

Register for an API key here, by entering your email address and touching the button on your YubiKey. Keep the Client ID and Secret Key returned by the website.

Install required packages:

sudo add-apt-repository ppa:yubico/stable
sudo apt-get update
sudo apt-get install libpam-yubico

Create a mapping file: sudo touch /etc/ssh/authorized_yubikeys
Populate this file with the usernames for which you want to enable two-factor authentication and their YubiKey IDs. You can obtain the ID by opening a text editor and touching the button on the YubiKey, and selecting only the first 12 characters. The first line below would be a typical configuration. The subsequent lines show a configuration where users user2, user3, and user4 use multiple YubiKeys and plan to access the server with all of them.
```
# example
user1:vvklhtiubdcu
user2:ccurrufnjder:ccturefjtehv:cctbhunjimko
```
Add auth required pam_yubico.so id=<client id> key=<secret key> authfile=/etc/ssh/authorized_yubikeys to the start of /etc/pam.d/sshd. Replace <client id> with the ID you retrieved when applying for an API key, and <secret key> with the secret key. If you only want single-factor authentication (either a YubiKey or a password), change required to sufficient to tell the system that a valid YubiKey will be enough to log in.
```
# PAM configuration for the Secure Shell service

# Yubikey authentication
auth required pam_yubico.so id=client id key=secret key authfile=/etc/ssh/authorized_yubikeys

# Standard Un*x authentication.
@include common-auth
...
```

In /etc/ssh/sshd_config, add or edit the following settings:

ChallengeResponseAuthentication yes
PasswordAuthentication no
UsePAM yes

Restart ssh daemon: sudo systemctl restart sshd

cnic023 commented Aug 20, 2021

Regarding my comment 1 hour ago about being unable to tell if the yubikey authentication had been successful, I now have a log file but I can only upload a PDF because part have to be changed for obvious security reasons

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment