SSH Public key+MFA with Yubikey on Centos 8/Ubuntu 20.4 LTS

ismail yenigül
2 min readJul 25, 2020

--

I will explain how to enable login into CentOS 8 and Ubuntu 20.4 LTS with ssh key and YubiKey together.

Install pam_yubico

On CentOS 8

# dnf install epel-release
# dnf install pam_yubico

on Ubuntu 20.4 LTS

$ sudo apt update 
$ sudo apt install libpam-yubico -y

Create a yubico mapping file for the users. I will create /etc/yubico in this example. You can create multiple token for a user

<first user name>:<YubiKey token ID1>
<second user name>:<YubiKey token ID2>:<YubiKey token ID3>:….

But I have only one Yubikey key so my /etc/yubico file will look like

$ cat /etc/yubico
ismail:ccccccjflici
yusuf:ccccccjflijc

ccccccjflici is the first 12 digit of your YubiKey token. You can create a token by opening a text editor and press the Yubikey then get only first 12 chars.

Edit /etc/pam.d/sshd

Disable password auth by commenting the following line. If you don’t comment it, SSHD will ask password in addition to ssh key+Yubikey

On Centos 8

#auth substack password-auth

On Ubuntu 20.4 LTS

#@include common-auth

Add the following line

auth required pam_yubico.so id=16 debug authfile=/etc/yubico

Only change authfile=/etc/yubico if you use different path.

Edit /etc/ssh/sshd_config

Enable ChallengeResponseAuthentication
ChallengeResponseAuthentication yes

Add AuthenticationMethods
AuthenticationMethods publickey,keyboard-interactive

Enable UsePAM (enabled by default)

UsePAM yes

Then restart sshd

# systemctl restart sshd

Disable Selinux

If Selinux is enforcing, you should disable it to make Yubikey works.

And make an ssh test

$ ssh -i myssh.key ismail@serverIPYubiKey for `ismail':Last login: Sat Jul 25 19:55:17 2020 from ...

WARNING

If you don’t enable Yubikey for all users, the users don’t have Yubikey mapping, can’t login to the server with ssh key only.

To fix this you should configure different AuthenticationMethods for other users. For example if you want to allow xyzonly with ssh key then add the following lines to the END of the sshd_config.

Match User xyz
AuthenticationMethods publickey

You can use Match Group if you want to apply

Note: AuthenticationMethods is not available in CentOS 6 openssh-server version(5.X) he OpenSSH developers added the AuthenticationMethods configuration parameter in OpenSSH version 6.2

Ismail YENIGUL

Devops Engineer

--

--