These steps were made for Ubuntu 20.04 LTS and tested with a Yubikey 5 NFC.
Based on:
- https://www.linode.com/docs/guides/how-to-use-yubikey-for-two-factor-ssh-authentication/
- https://docs.termius.com/termius-handbook/yubikey-support
-
Register for an API key here, by entering your email address and touching the button on your YubiKey. Keep the Client ID and Secret Key returned by the website.
-
Install required packages:
sudo add-apt-repository ppa:yubico/stable sudo apt-get update sudo apt-get install libpam-yubico
-
Create a mapping file:
sudo touch /etc/ssh/authorized_yubikeys
-
Populate this file with the usernames for which you want to enable two-factor authentication and their YubiKey IDs. You can obtain the ID by opening a text editor and touching the button on the YubiKey, and selecting only the first 12 characters. The first line below would be a typical configuration. The subsequent lines show a configuration where users user2, user3, and user4 use multiple YubiKeys and plan to access the server with all of them.
# example user1:vvklhtiubdcu user2:ccurrufnjder:ccturefjtehv:cctbhunjimko
-
Add
auth required pam_yubico.so id=<client id> key=<secret key> authfile=/etc/ssh/authorized_yubikeys
to the start of /etc/pam.d/sshd. Replace<client id>
with the ID you retrieved when applying for an API key, and<secret key>
with the secret key. If you only want single-factor authentication (either a YubiKey or a password), changerequired
tosufficient
to tell the system that a valid YubiKey will be enough to log in.# PAM configuration for the Secure Shell service # Yubikey authentication auth required pam_yubico.so id=client id key=secret key authfile=/etc/ssh/authorized_yubikeys # Standard Un*x authentication. @include common-auth ...
-
In /etc/ssh/sshd_config, add or edit the following settings:
ChallengeResponseAuthentication yes PasswordAuthentication no UsePAM yes
-
Restart ssh daemon:
sudo systemctl restart sshd
These instructions 'appear' to work i.e. I can login. However, I don't know if the yubikey authentication works. I thought there would be a risk if I adopted the 'required' option first so I selected 'sufficient'. I can ssh in and get a user prompt. After that it asks for the yubikey. On activating that it then asks for my password. I can then login. There is no error message when I activate the yubikey and there is nothing in the auth log to suggest a problem but how do I know if, perhaps, the yubikey authentication failed so I was then asked for my password? There were no other messages on login to give me a clue.
Can I set up a log or perhaps you can suggest a solution (to what may not be a problem!)