SSH Public key+MFA with Yubikey on Centos 8/Ubuntu 20.4 LTS

I will explain how to enable login into CentOS 8 and Ubuntu 20.4 LTS with ssh key and YubiKey together.

Install pam_yubico

On CentOS 8

on Ubuntu 20.4 LTS

Create a yubico mapping file for the users. I will create /etc/yubico in this example. You can create multiple token for a user

But I have only one Yubikey key so my /etc/yubico file will look like

ccccccjflici is the first 12 digit of your YubiKey token. You can create a token by opening a text editor and press the Yubikey then get only first 12 chars.

Edit /etc/pam.d/sshd

Disable password auth by commenting the following line. If you don’t comment it, SSHD will ask password in addition to ssh key+Yubikey

On Centos 8

On Ubuntu 20.4 LTS

Add the following line

Only change authfile=/etc/yubico if you use different path.

Edit /etc/ssh/sshd_config

Enable ChallengeResponseAuthentication
ChallengeResponseAuthentication yes

Add AuthenticationMethods
AuthenticationMethods publickey,keyboard-interactive

Enable UsePAM (enabled by default)

Then restart sshd

# systemctl restart sshd

And make an ssh test

WARNING

If you don’t enable Yubikey for all users, the users don’t have Yubikey mapping, can’t login to the server with ssh key only.

To fix this you should configure different AuthenticationMethods for other users. For example if you want to allow xyzonly with ssh key then add the following lines to the END of the sshd_config.

You can use Match Group if you want to apply

Note: AuthenticationMethods is not available in CentOS 6 openssh-server version(5.X) he OpenSSH developers added the AuthenticationMethods configuration parameter in OpenSSH version 6.2

Ismail YENIGUL

Devops Engineer

Devops Engineer