Tag Archives: OpenSSH

Requering both an SSH key and a YubiKey

As of OpenSSH 6.2 there is the configuration option AuthenticationMethods, allowing for the requirement of more than one authentication method. For me the obvious combination here is requiring both regular ssh key auth as well as a physical YubiKey, both which need to succeed.

This post is a short description of my personal setup, focusing more on the how than on the whys.

In addition to the obvious requirement of having a YubiKey my setup depends on the following:

  • Running at least OpenSSH 6.2, which is provided by default as of Ubuntu 13.10. Debian wise it might be helpful to know that the Wheezy backports currently contains OpenSSH 6.5.
  • The Yubico PAM module. Assuming recent enough Debian/Ubuntu that module can be found in the libpam-yubico package.
  • An API key from https://upgrade.yubico.com/getapikey/.

Here we have the relevant part of sshd_config, only enforcing the additional requirement for selected users.

### /etc/ssh/sshd_config
...
ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM yes
...
Match Group yubiusers
      PasswordAuthentication yes
      AuthenticationMethods publickey,password

Then there is the part about having PAM threat ssh passwords as YubiKey OTPs. Given Debian style /etc/pam.d/ I am modifying /etc/pam.d/sshd to replace the include of /etc/pam.d/common-auth with an include of my own custom /etc/pam.d/yubi-auth.

### /etc/pam.d/sshd
...
# @include common-auth
@include yubi-auth
...
### /etc/pam.d/yubi-auth
auth    required        pam_yubico.so mode=client id=NNN key=sEcREt authfile=/etc/yubimap

(No, the /etc/pam.d/yubi-auth file isn’t globally readable.)

In a more general manner the PAM config change is about replacing the auth … pam_unix.so line with an auth … pam_yubico.so line.

The specified /etc/yubimap holds the mapping between usernames and YubiKeys.

### /etc/yubimap
andreas:ccccccbhkljr
root:ccccccbhkljr

Finally, the result.

andreas@corrino:~$ ssh halleck.arrakis.se
Authenticated with partial success.
andreas@halleck.arrakis.se's password:
...
andreas@halleck:~$

OpenSSH 5.7, SFTP and hard links

OpenSSH 5.7 just got released. You can read the full announcement at http://www.openssh.com/txt/release-5.7. Personally I especially appreciate the following improvement to their SFTP stack.

sftp(1)/sftp-server(8): add a protocol extension to support a hard link operation. It is available through the “ln” command in the client. The old “ln” behaviour of creating a symlink is available using its “-s” option or through the preexisting “symlink” command

Being able to handle hard links definitely makes SFTP even more useful as a remote filesystem.

ssh-agent without the Gnome keyring

In a default Ubuntu, and probably any other modern Gnome based Linux desktop, the Gnome keyring takes the role of the ssh-agent. If this is not desirable you can tell the keyring not to do that by setting the gconf variable /apps/gnome-keyring/daemon-components/ssh to false.

$ gconftool -s –type bool /apps/gnome-keyring/daemon-components/ssh false

At the next login you should see your environment variable SSH_AUTH_SOCK pointing towards a more proper socket. Note that the real ssh-agent is still started, assuming Ubuntu, thanks to /etc/X11/Xsession.d/90×11-common_ssh-agent.