After starting to use the Yubikey for LastPass and various other online servers I’ve started also using my yubikey for SSH access to my server(s).
I’ve touched on google_authenticator and pam_yubico for authentication in a previous post however I will be going into this in a bit more detail.
Taking a machine at home as an example. My requirements are simple
- NO SSH Key access to be allowed – as there is no way to require a second factor with an SSH Key (Passphrases can be removed or a new key generated)
- Access from Local machines to be allowed without Two Factor being enabled
- Yubikey to be the Primary TFA
- Fall back to google authenticator should either the Yubico servers be down, an issue with my keys or I just don’t have a USB port available (IE I’m on a phone or whatever)
In order to meet these requirements I’m going to need the following
- yubico-pam Yubikey PAM
- Google Authenticator PAM
- pam_access The server is running Archlinux, and luckily all of these are within AUR – and as such I’m not going to cover the install of the modules.
In order to restrict SSHd access as above I need the following auth lines in
# Check unix password auth required pam_unix.so try_first_pass # check to see if the User/IP combo is on the skip list - if so, skip the next two lines auth [success=2 default=ignore] pam_access.so accessfile=/etc/security/access_yubico.conf # Check /etc/yubikey for the users yubikey and skip the next line if it all works auth [success=1 default=ignore ] pam_yubico.so id=1 url=https://api.yubico.com/wsapi/2.0/verify?id=%d&otp=%s authfile=/etc/yubikey # Check against google authenticator auth required pam_google_authenticator.so auth required pam_env.so
The next step is ensure that the relevant users and IP are listed in
# Allow welby from 220.127.116.11 + : welby : 18.104.22.168 # Deny all others - : ALL : ALL
After this is setup we will also need to setup the yubikey file
I’m not going to cover configuration of google authenticator with the google-authenticator command
The final changes are to the
/etc/ssh/sshd_config ensuring that the following are set
PasswordAuthentication no PubkeyAuthentication no PermitRootLogin no ChallengeResponseAuthentication yes UsePAM yes