Yubico Forum

Requirement: Ubuntu 12.04 or Debian Wheezy & Yubikey standard.

Description: This is quick tutorial on how to setup yubikey auth for SSH login in Ubuntu and Debian. It slightly extends official how-to. OS: Ubuntu 12.04(Precise Pangolin) (ami-e1e8d395)

1. Prerequisites


2. Check installation
Make sure `ls -la /lib/security/pam_yubico.so` exist.

3. Linking user to yubikey
edit/create /home/ubuntu/.yubico/authorized_yubikeys file and add:

ubuntu is username and ccccccbdefgh is yubikey ID. If this ssh-like approach does not work for you, see this for alternatives.

4. Edit pam.d config file `/etc/pam.d/sshd`
add (at the beginning):

If you use required option: user's account password has to be set and typed with yubikey upon login (i.e. two factor auth).
If sufficient is used: user's account password is not required (i.e. one factor auth).
Get your own API ID and KEY, the values in the example above are faked.

5. Edit sshd config file `/etc/ssh/sshd_config`

1. One factor auth - yubikey only, passwords disabled
   pam_yubico.so is sufficient and:
   
   Code:
   PasswordAuthentication no
   
   
   
2. One factor auth - yubikey OR password
   pam_yubico.so is sufficient and:
   
   Code:
   PasswordAuthentication yes
   
   
   
3. Two factor auth - yubikey AND password
   pam_yubico.so is required and:
   
   Code:
   PasswordAuthentication yes
   

7. Restart sshd


8. Test if it works.

Will this by chance work with CentOS as well? (I have a CentOS based web server I host on so that is why I ask).

Thank you for your post.

This goes sticky.

_________________
-Tom

It does not work as expected.
I have setup everything the same way as explained, and when connecting I am asked for the Yubikey and the password.
I have setup the pam.d/sshd with sufficient and altered the sshd_config as explained and nothing. I am still prompted with the password.
And what's worse is that if I press enter at the yubikey prompt, it goes straight to the password !
I am searching how my security level is increased here.

Just a curiosity, do you encrypt your /home/user_with_yubikey ?

because in that config, you would not be able to read the authorized_yubikey file.

I will try the suggested configuration in this post to check if it works when i'll have 5 minute.

_________________
-Tom

I have tested the "one factor" and it works on Ubuntu 12.10




if you want to use challenge response mode then follow this tutorial:
https://github.com/Yubico/yubico-pam/wi ... geResponse

_________________
-Tom

You mean that in order for the SSH login to work without asking password, the Yubikey must be setup in challenge-response mode ?

No. You can authenticate yourself locally [challenge-response] or via the Internet using YubiClous service for example.

If you choose to authenticate against the YubiCloud you need the YubicoOTP ( the one configured in slot 1 by default )
If you choose to authenticate locally then you configure slot 2 of your Yubikey in challenge response mode ( following the other tutorial )

The password prompt depends on how you configure sshd / pam

_________________
-Tom

I have strictly followed the howtos and I am still prompted for the password. I don't know what to do more.

I am sorry moulip, i have posted a screenshot showing that it correctly works with only ONE factor. Just the Yubikey OTP without password.

What i can suggest you, is to install a virtual machine with Ubuntu 12.10, and try again from scratch.

1) Do not set up encrypted home folder.
2) Check that the virtual machine can connect to the internet to validate the OTP
3) Try reading the tutorial bottom-up, this may unlock some words that you missed, it happens.

_________________
-Tom