SSH Public key+MFA with Yubikey on Centos 8/Ubuntu 20.4 LTS
I will explain how to enable login into CentOS 8 and Ubuntu 20.4 LTS with ssh key and YubiKey together.
Install pam_yubico
On CentOS 8
# dnf install epel-release
# dnf install pam_yubico
on Ubuntu 20.4 LTS
$ sudo apt update
$ sudo apt install libpam-yubico -y
Create a yubico mapping file for the users. I will create /etc/yubico
in this example. You can create multiple token for a user
<first user name>:<YubiKey token ID1>
<second user name>:<YubiKey token ID2>:<YubiKey token ID3>:….
But I have only one Yubikey key so my /etc/yubico
file will look like
$ cat /etc/yubico
ismail:ccccccjflici
yusuf:ccccccjflijc
ccccccjflici
is the first 12
digit of your YubiKey token. You can create a token by opening a text editor and press the Yubikey then get only first 12 chars.
Edit /etc/pam.d/sshd
Disable password auth by commenting the following line. If you don’t comment it, SSHD will ask password in addition to ssh key+Yubikey
On Centos 8
#auth substack password-auth
On Ubuntu 20.4 LTS
#@include common-auth
Add the following line
auth required pam_yubico.so id=16 debug authfile=/etc/yubico
Only change authfile=/etc/yubico
if you use different path.
Edit /etc/ssh/sshd_config
Enable ChallengeResponseAuthentication
ChallengeResponseAuthentication yes
Add AuthenticationMethods
AuthenticationMethods publickey,keyboard-interactive
Enable UsePAM
(enabled by default)
UsePAM yes
Then restart sshd
# systemctl restart sshd
Disable Selinux
If Selinux is enforcing, you should disable it to make Yubikey works.
And make an ssh test
$ ssh -i myssh.key ismail@serverIPYubiKey for `ismail':Last login: Sat Jul 25 19:55:17 2020 from ...
WARNING
If you don’t enable Yubikey for all users, the users don’t have Yubikey mapping, can’t login to the server with ssh key only.
To fix this you should configure different AuthenticationMethods for other users. For example if you want to allow xyz
only with ssh key then add the following lines to the END of the sshd_config.
Match User xyz
AuthenticationMethods publickey
You can use Match Group
if you want to apply
Note: AuthenticationMethods is not available in CentOS 6 openssh-server version(5.X) he OpenSSH developers added the AuthenticationMethods
configuration parameter in OpenSSH version 6.2
Ismail YENIGUL
Devops Engineer