SSH using Yubikey

With YubiKey you can protects access to computers, networks, and online services.

YubiKey 5 Series eliminates account takeovers by providing strong phishing defense using multi-protocol capabilities that can secure legacy and modern systems. It provides a range of authentication choices including strong two-factor, multi-factor and passwordless authentication, and seamless touch-to-sign.

In order to use a Yubikey as 2FA for securing a SSH connection to a server you need to prepare server for this.

Install Yubikey software:

# yum install pam_yubico -y

Configuration:

Add in /etc/pam.d/sudo:

auth	   sufficient   pam_yubico.so id=your_id debug debug_file=/var/log/pam-debug.log authfile=/etc/yubikey_mappings

Replace your_id with yours generated from Yubico: https://upgrade.yubico.com/getapikey/

Enable debug log in advance:

# touch /var/run/pam-debug.log
# chmod go+w /var/run/pam-debug.log

To create central authorization mapping add in file /etc/yubikey_mappings the following:

user:yubikey_token_id

Edit /etc/ssh/sshd_config according to the following 3 lines:

AuthenticationMethods publickey,keyboard-interactive
UsePAM yes
ChallengeResponseAuthentication yes

After this you need to restart ssh service and then 2FA will work.

Need help implementing secure authentication across your infrastructure?
→ Learn more about our PKI Infrastructure & Identity Services