Yubikey two factor authentication for ssh

After my successfull sudo test I was interested in 2fa for ssh. As a systemadministrator you are always scared about secure login just for you/your team.

Also ssh 2fa via yubikey is pretty straight forward. It needs some more work than just the sudo case but here we go.

Install dependend packages

If it’s not done yet we have to add the yubico repository

sudo add-apt-repository ppa:yubico/stable

After that we can easyly install libpam-yubico

apt-get update
# Install package
apt-get install libpam-yubico


To get yubikey and ssh login working we need a configuration file which maps the user itself to the yubikey key.

To get it working I create a mappings file /etc/yubikey_mappings with following Format:

cat /etc/yubikey_mappings

you can add multiple yubikeys by seperating them with :.

To get the KEY insert your yubikey, press the metal sign and take the first 12 char.

setup pam sshd

To get pam authentication working with yubikey we have to edit /etc/pam.d/sshd. Iplaced the following after @include common-password:

auth required /lib/security/pam_yubico.so id=ID authfile=/etc/yubikey_mappings debug nullok 

ID is a yubikey api key which can be generated here.

SSH configuration

To get ssh working with yubikey I did the following in my /etc/ssh/sshd_config:

# add:
AuthenticationMethods keyboard-interactive publickey,keyboard-interactive

# set ChallengeResponseAuthentication to yes
ChallengeResponseAuthentication yes

# Enable pam
UsePAM yes

After all we have to restart the ssh daemon systemctl restart sshd

Thats it. Now we are able to login via ssh with publickey and yubikey or password and yubikey.


Just in case you want to use the 2FA behind a firewall you have to enable yubikey to be able to connect their servers! This authentication described above is only working when libpam-yubico is able to call home. Therefore you have to open your firewall on port 443 to the following IPs:
comments powered by Disqus