After my successfull sudo test I was interested in 2fa for ssh. As a systemadministrator you are always scared about secure login just for you/your team.
Also ssh 2fa via yubikey is pretty straight forward. It needs some more work than just the sudo case but here we go.
Install dependend packages
If it’s not done yet we have to add the yubico repository
sudo add-apt-repository ppa:yubico/stable
After that we can easyly install
apt-get update # Install package apt-get install libpam-yubico
To get yubikey and ssh login working we need a configuration file which maps the user itself to the yubikey key.
To get it working I create a mappings file
/etc/yubikey_mappings with following Format:
cat /etc/yubikey_mappings USER1:KEY1:KEY2 USER2:KEY1
you can add multiple yubikeys by seperating them with
To get the
KEY insert your yubikey, press the metal sign and take the first 12 char.
setup pam sshd
To get pam authentication working with yubikey we have to edit
/etc/pam.d/sshd. Iplaced the following after
auth required /lib/security/pam_yubico.so id=ID authfile=/etc/yubikey_mappings debug nullok
ID is a yubikey api key which can be generated here.
To get ssh working with yubikey I did the following in my
# add: AuthenticationMethods keyboard-interactive publickey,keyboard-interactive # set ChallengeResponseAuthentication to yes ChallengeResponseAuthentication yes # Enable pam UsePAM yes
After all we have to restart the ssh daemon
systemctl restart sshd
Thats it. Now we are able to login via ssh with publickey and yubikey or password and yubikey.
Just in case you want to use the 2FA behind a firewall you have to enable yubikey to be able to connect their servers! This authentication described above is only working when libpam-yubico is able to call home. Therefore you have to open your firewall on port 443 to the following IPs:
220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206