As of OpenSSH 6.2 there is the configuration option AuthenticationMethods, allowing for the requirement of more than one authentication method. For me the obvious combination here is requiring both regular ssh key auth as well as a physical YubiKey, both which need to succeed.
This post is a short description of my personal setup, focusing more on the how than on the whys.
In addition to the obvious requirement of having a YubiKey my setup depends on the following:
- Running at least OpenSSH 6.2, which is provided by default as of Ubuntu 13.10. Debian wise it might be helpful to know that the Wheezy backports currently contains OpenSSH 6.5.
- The Yubico PAM module. Assuming recent enough Debian/Ubuntu that module can be found in the libpam-yubico package.
- An API key from https://upgrade.yubico.com/getapikey/.
Here we have the relevant part of sshd_config, only enforcing the additional requirement for selected users.
### /etc/ssh/sshd_config ... ChallengeResponseAuthentication no PasswordAuthentication no UsePAM yes ... Match Group yubiusers PasswordAuthentication yes AuthenticationMethods publickey,password
Then there is the part about having PAM threat ssh passwords as YubiKey OTPs. Given Debian style /etc/pam.d/ I am modifying /etc/pam.d/sshd to replace the include of /etc/pam.d/common-auth with an include of my own custom /etc/pam.d/yubi-auth.
### /etc/pam.d/sshd ... # @include common-auth @include yubi-auth ...
### /etc/pam.d/yubi-auth auth required pam_yubico.so mode=client id=NNN key=sEcREt authfile=/etc/yubimap
(No, the /etc/pam.d/yubi-auth file isn’t globally readable.)
In a more general manner the PAM config change is about replacing the auth … pam_unix.so line with an auth … pam_yubico.so line.
The specified /etc/yubimap holds the mapping between usernames and YubiKeys.
### /etc/yubimap andreas:ccccccbhkljr root:ccccccbhkljr
Finally, the result.
andreas@corrino:~$ ssh halleck.arrakis.se Authenticated with partial success. firstname.lastname@example.org's password: ... andreas@halleck:~$