Yubico SSH Login
Goal: Using the YubiKey for SSH login as a second factor - 2FA.
Setup a VM (for example on DigitalOcean) where you are able to login with your SSH Key.
Generate API key from yubico
Client ID and the
Prepare the SSH server
All the following commands have to be executed/configured on the SSH Server.
If you are not working as
root add the
sudo command in front of the commands.
If you want to use an other user than root for the SSH login, replace root with your specific username.
Add required libraries
add-apt-repository ppa:yubico/stable apt-get update apt-get install libpam-yubico
Update PAM settings
Client ID and
Secret key with the right values.
vi /etc/pam.d/sshd # Add in the first line auth required pam_yubico.so id=[Client ID] key=[Secret key] debug authfile=/etc/yubikey_mappings mode=client # Comment this line out. We do not want password login as fallback. @include common-auth
Get the YubkKey OTP password. To receive the OTP password simple touch the YubiKey while an editor or the terminal is active. It will print out a set of characters. Copy the first twelve characters.
Create a new File
vi /etc/yubikey_mappings # Adding the user and the first 12 characters of the Yubikey OTP root:[12 first OTP characters] user1:[...]
Enable authenticate publickey and pam
vi /etc/ssh/sshd_config # Enable or add following setting ChallengeResponseAuthentication yes AuthenticationMethods publickey,keyboard-interactive:pam UsePAM yes
Make sure do not logout of your ssh session. If the configuration is wrong or something failed you might not be able to login with SSH again.
service sshd restart
On the client try to login to the SSH server.
# Optional parameter: -v. Verbose option. Helpful for debugging ssh root@my-server Enter passphrase for key '/home/user/.ssh/id_rsa': YubiKey for `root':
First you should have to enter the password of your ssh keystore file. Afterwards touch the YubiKey.
Original blog post.