Yubikey and server authentication
After starting to use the Yubikey for LastPass and various other online servers I’ve started also using my yubikey for SSH access to my server(s).
I’ve touched on google_authenticator and pam_yubico for authentication in a previous post however I will be going into this in a bit more detail.
Taking a machine at home as an example. My requirements are simple
- NO SSH Key access to be allowed – as there is no way to require a second factor with an SSH Key (Passphrases can be removed or a new key generated)
- Access from Local machines to be allowed without Two Factor being enabled
- Yubikey to be the Primary TFA
- Fall back to google authenticator should either the Yubico servers be down, an issue with my keys or I just don’t have a USB port available (IE I’m on a phone or whatever)
In order to meet these requirements I’m going to need the following
- yubico-pam Yubikey PAM
- Google Authenticator PAM
- pam_access The server is running Archlinux, and luckily all of these are within AUR – and as such I’m not going to cover the install of the modules.
In order to restrict SSHd access as above I need the following auth lines in
# Check unix password auth required pam_unix.so try_first_pass # check to see if the User/IP combo is on the skip list - if so, skip the next two lines auth [success=2 default=ignore] pam_access.so accessfile=/etc/security/access_yubico.conf # Check /etc/yubikey for the users yubikey and skip the next line if it all works auth [success=1 default=ignore ] pam_yubico.so id=1 url=https://api.yubico.com/wsapi/2.0/verify?id=%d&otp=%s authfile=/etc/yubikey # Check against google authenticator auth required pam_google_authenticator.so auth required pam_env.so
The next step is ensure that the relevant users and IP are listed in
# Allow welby from 220.127.116.11 + : welby : 18.104.22.168 # Deny all others - : ALL : ALL
After this is setup we will also need to setup the yubikey file
I’m not going to cover configuration of google authenticator with the google-authenticator command
The final changes are to the
/etc/ssh/sshd_config ensuring that the following are set
PasswordAuthentication no PubkeyAuthentication no PermitRootLogin no ChallengeResponseAuthentication yes UsePAM yes