SSH Two-Factor auth (2FA) with a yubikey

ssh two-factor

Ok, I kept at it and I think I've come up with a reasonable solution. The primary thing I was previously missing was sshd's AuthenticationMethods publickey,password. This enforces the requirement for both a publickey and a password -- "password"s now being handled by PAM->auth-yubi. Additional changes were also needed, see below:

(ubuntu 14.04 - trusty):

/etc/pam.d/yubi-auth

auth    required pam_yubico.so mode=client try_first_pass id=<id> key=<key>

Note: you can obtain your access ID and secret key here

/etc/pam.d/sshd

# Standard Un*x authentication.
#@include common-auth

# Yubikey auth
@include yubi-auth

/etc/ssh/sshd_config

UsePAM yes
ChallengeResponseAuthentication no
AuthenticationMethods publickey,password
PasswordAuthentication yes

service ssh restart

Verification

SSH from a remote host without a public key

root@0a6442bcb21c:/# ssh [email protected]
The authenticity of host '192.168.1.20 (192.168.1.20)' can't be established.
ECDSA key fingerprint is ea:2a:e3:98:35:72:66:b1:e0:65:6b:3f:60:8a:af:ab.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.20' (ECDSA) to the list of known hosts.
Permission denied (publickey).

SSH from a remote host with a public key

$ ssh [email protected]
Authenticated with partial success.
[email protected]'s password:
Welcome to Ubuntu 14.04.3 LTS (GNU/Linux 3.19.0-33-generic x86_64)

Improvement

It would be nice to see "Yubikey Auth:" instead of "password:" from the remote ssh server when authenticating.

What happens when the ssh server is unable to contact yubico's auth verification system? An ideal solution would be entirely self-contained.

Comments and suggestions appreciated.


Setting up 2FA with Yubikey can be tricky (thought there is openssh patch for U2F), but the easiest way is probably the one described on Yubico official website.

It is basically the way of storing your private key on the Yubikey and protecting it with PIN. It is not exactly the 2FA you are described (but it is something what you have and and what you know), but it increases the security even more (Yubikey locks after some unsuccessful tries).

TL:DR;

OPENSC_LIBS=`locate opensc-pkcs11.so`
yubico-piv-tool -s 9a -a generate -o public.pem
yubico-piv-tool -a verify-pin -P 123456 -a selfsign-certificate -s 9a \
  -S "/CN=SSH key/" -i public.pem -o cert.pem
yubico-piv-tool -a import-certificate -s 9a -i cert.pem
ssh-keygen -D $OPENSC_LIBS/opensc-pkcs11.so -e
ssh -I $OPENSC_LIBS/opensc-pkcs11.so [email protected]

Related

How does CPU affinity interact with cgroups in Linux?
Ways to circumvent Cisco AnyConnect VPN Routing Table
Limit SSH traffic?
Where can I document useful things to know as a Mac sysadmin?
How are Amazon EBS snapshot's sizes calculated?
Creating symlink in /usr/bin when creating an RPM
Criteria for choosing a server to run Node.js
Anonymous access to SMB share hosted on Server 2008 R2 Enterprise
SSL Certificate error: verify error:num=20:unable to get local issuer certificate
EXPLAIN with index suggestions
postfix sasl "cannot connect to saslauthd server: No such file or directory"
proxy: pass request body failed