Welcome to Yubico tech community.

Requirement: Ubuntu 12.04 & Yubikey standard.

Description: This is quick tutorial on how to setup yubikey auth for SSH login in Ubuntu. It slightly extends official how-to. OS: Ubuntu 12.04(Precise Pangolin) (ami-e1e8d395)



1. Prerequisites


2. Check installation
Make sure

`/lib/security/pam_yubico.so` exist.
`ykclient` can be run.

3. Linking user to yubikey
edit/create ~/.yubico/authorized_yubikeys file and add:

Ubuntu is username and cccccccccccc is yubikey ID.

4. Edit pam.d config file `/etc/pam.d/sshd`
add (at the beginning):

If you use sufficient: user's account password is not required (i.e. one factor auth).
If required option is used: user's account password has to be set and typed with yubikey upon login (i.e. two factor auth).
Get your own ID and KEY, the values in the example above are faked.

5. Edit sshd config file `/etc/ssh/sshd_config`
edit these options if you set pam_yubico.so to be sufficient:


or this if you set pam_yubico.so required:


You may want to make sure that these options are set like this:


7. Restart sshd


8. Test if it works.

Will this by chance work with CentOS as well? (I have a CentOS based web server I host on so that is why I ask).

Thank you for your post.

This goes sticky.

_________________
-Tom

It does not work as expected.
I have setup everything the same way as explained, and when connecting I am asked for the Yubikey and the password.
I have setup the pam.d/sshd with sufficient and altered the sshd_config as explained and nothing. I am still prompted with the password.
And what's worse is that if I press enter at the yubikey prompt, it goes straight to the password !
I am searching how my security level is increased here.

Just a curiosity, do you encrypt your /home/user_with_yubikey ?

because in that config, you would not be able to read the authorized_yubikey file.

I will try the suggested configuration in this post to check if it works when i'll have 5 minute.

_________________
-Tom

I have tested the "one factor" and it works on Ubuntu 12.10




if you want to use challenge response mode then follow this tutorial:
https://github.com/Yubico/yubico-pam/wi ... geResponse

_________________
-Tom

You mean that in order for the SSH login to work without asking password, the Yubikey must be setup in challenge-response mode ?

No. You can authenticate yourself locally [challenge-response] or via the Internet using YubiClous service for example.

If you choose to authenticate against the YubiCloud you need the YubicoOTP ( the one configured in slot 1 by default )
If you choose to authenticate locally then you configure slot 2 of your Yubikey in challenge response mode ( following the other tutorial )

The password prompt depends on how you configure sshd / pam

_________________
-Tom

I have strictly followed the howtos and I am still prompted for the password. I don't know what to do more.

I am sorry moulip, i have posted a screenshot showing that it correctly works with only ONE factor. Just the Yubikey OTP without password.

What i can suggest you, is to install a virtual machine with Ubuntu 12.10, and try again from scratch.

1) Do not set up encrypted home folder.
2) Check that the virtual machine can connect to the internet to validate the OTP
3) Try reading the tutorial bottom-up, this may unlock some words that you missed, it happens.

_________________
-Tom