Yubico Forum

I wish to use my recently purchased Yubikey to authenticate against my home ssh server.
I have been using PubkeyAuthentication and have my Debian ssh server configured to NOT allow username/password pair logins but to require an attempted authentication to match up with a pre-existing account which has the connecting users pubkey in their authenticated_keys2 file.
I wish to on top of this have it prompt me for a OTP Yubikey password.
So I wish to use my Yubikey in addition to this WITHOUT supplying my normal /etc/shadow password at login time.
CAN THIS BE DONE? And if so HOW?

Thank you in advance to anyone who can direct me on this.

PS The why I would want to do this is because I often times login to my home server on occasion from work from my assigned work laptop or desktop and do not wish to implicitly trust that there is no key logger running on the machine which a OTP prompt would defeat as I understand it.

I have tried to setup the configuration I spoke of before.
It would seam that PubkeyAuthentication within openssh currently overrides any other authentication methods so to accomplish what I want would likely require a patch to openssh which I don't have the expertise to wright my self.
So forgoing that for the time it would seem I can leave PubkeyAuthentication enabled and must ensure my client is not using pageant if putty or I am using -a with ssh if I have a key loaded locally with ssh-add/ssh-agent to get the prompt:

Yubikey for `coniptor':

I've read conflicting information in a couple of posts concerning this.
I'm running Debian Etch with the latest errata/security updates applied.
I had to modify /etc/pam.d/ssh not /etc/pam.d/sshd for Debian.

I had to ENABLE: "ChallengeResponseAuthentication yes" in /etc/ssh/sshd_config to get the Yubikey prompt listed above.
Regardless of if I have PasswordAuthentication set to no or yes I am unable to authenticate at the Yubikey prompt and this applies whether or not PubkeyAuthentication is enabled or disabled in sshd_config.

Again to note I DO NOT want PasswordAuthentication enabled EVER and would be quite content and happy if pam_yubico.so didn't try to do ANYTHING AT ALL with /etc/shadow.
I do not want /etc/shadow on my system checked during login unless I'm at the physical console.

I have the id= set to what my client id is listed as at the api.yubico.com site once logged in.
I have my yubikey id set in /etc/yubikeyid and in ~/.yubico/authorized_yubikeys for my normal login.
I have tried authentication with /etc/yubikeyid and .yubico/authorized_yubikeys readable only by user and by ugo without success.

I have both auth required lines enabled in /etc/pam.d/ssh for admin and regular access and have also tried it with just admin and just user enabled still with no success.

If I ssh in with Pubkey auth I do not get a debug message on my regular account login but receive two debug messages in a row when I ssh from my regular account to my root account like below:
[pam_yubico.c:pam_sm_setcred(561)] called.
[pam_yubico.c:pam_sm_setcred(561)] called.
Which is not completely helpfull.
In addition /var/run/pam-debug.log which has user group and world/other read write never shows ANY changes still zero length.
I have verifed with tshark that my system is even trying to validate at the url:
http://api.yubico.com/wsapi/verify?id=%d&otp=%s
which it is so I know the pam_yubico.so library is contacting the site for authentication and not being validated.

I would sincerely appreciate help from anyone else who has managed to get this working in Debian.
Thanks in advance to anyone who can help.

Ok I determined what my issue was authenticating.
I can keep PubkeyAuthentication enabled with PasswordAuthentication enabled and ChallengeResponseAuthentication disabled like:
PubkeyAuthentication yes
PasswordAuthentication yes
ChallengeResponseAuthentication no

What I had to change to get it working was to enable ONLY one of the auth required lines in /etc/pam.d/ssh
either admin managed under /etc/yubikeyid or user managed in ~/.yubico/authorized_yubikeys.
This is covered in thread: http://forum.yubico.com/viewtopic.php?f=6&t=191&hilit=ssh
where it covers the debian way of modifying /etc/pam.d/ssh where it denotes:
## YubiKey Config
# Administrative Level
auth required pam_yubico.so authfile=/etc/yubikeyid id=16 debug
#OR
# User Level
# auth required pam_yubico.so id=16 debug

However with this configuration I either authenticate with my pubkey setup which means I have to trust a computer I ssh from either decrypting my private key with password which allows a key logger to nab my password and retrieve my key from memory possibly OR login with out pubkey and have to provide my login accounts password plus the yubikey OTP.
I would prefer just entering the OTP and using Pubkey together without having to enter the accounts local password.

Something like this was mentioned in thread: http://forum.yubico.com/viewtopic.php?f=5&t=174&hilit=yubikeyonly
I recursively grepped through both pam_yubico-1.11 and the subversion pulled yubico-pam for option yubikeyonly which was mentioned in the below bullet point but could not find it.
+ If you don't plan to use two-factor authentication (a user-entered PIN/password, in addition to the yubikey output), add yubikeyonly=1 to the pam_yubico.so line.

I would very much like to see this option return and work with ChallengeResponseAuthentication with the:
Yubikey for 'username': prompt.
That is if it really did ever exist or even if it did not I would like to see it added.

In the meantime I can create an account specifically for remote login with disabled local login I suppose.

I found another post regarding pam-debug.log being in /tmp and not /var/run.
Once I also added debug in /etc/pam.d/common-auth I found it was logging debug information to /tmp/pam-debug.log

We are working on the issue and we will update you soon.

It seems that the PubkeyAuthentication overrides the other authentication methods and as you correctly mentioned would require a patch for OpenSSH to achieve the OpenSSH authentication you desire.