Misc Tech Notes

Lör 11 Januari 2014

Require Yubikey and publickey on Fedora 20 for remote access

Posted by Peter Reuterås in Tips   

I have a server that I can access from parts of the internet (firewalled with an external firewall) to manage my home environment. For security reasons I want to use both a Yubikey in addition to the regular publickey to login via SSH. The Yubikey should only be used when logging in as a regular user. Access from specified hosts on the local network as root should only be protected by publickey authentication for automated actions like backups by rsnapshot to work. Tools that can't use Yubikey at the moment (if you have any tips on securing those types of connections please add a comment below or send me a message).

I did the configuration a couple of days before writing this blog post and hopefully I've remembered all of the steps needed below so that others can use this post to get started.

First we have to install the pam module for Yubikey on Fedora:

yum install pam_yubico

Disclaimer: I've found that Fedora at the time of writing has version 2.13 installed but there is a newer version available (2.14)

Next step is to create a authorized_yubikeys file which is similar to ssh authorized_keys file. You have to change vvxxxxxxxxxx to your Yubikey token ID (first twelve characters in a OTP).

mkdir ~/.yubico
echo $USER:vvxxxxxxxxxx > ~/.yubico/authorized_yubikeys
#If you have selinux enabled
chcon -R system_u:object_r:ssh_home_t:s0 ~/.yubico

Then you have to register a client ID for your server at https://upgrade.yubico.com/getapikey/ which you need to enter in the pam configuration.

To enable Yubikey in pam for ssh change the following in /etc/pam.d/sshd.

auth       required     pam_sepermit.so
auth       sufficient   pam_yubico.so id=<your id> url=https://api.yubico.com/wsapi/2.0/verify?id=%d&otp=%s key=<your key>
#auth       substack     password-auth

In sshd_config you have to make the following changes at the end of the file.

PasswordAuthentication yes
PermitRootLogin no
AuthenticationMethods publickey,password

Match User root, Address 192.168.X.Y/32,192.168.S.T/32
    AuthenticationMethods publickey
    PermitRootLogin yes

And now you should be able to login after a restart of sshd (systemctl restart sshd.service). The output should be similar to the one below (the password should be your Yubikey OTP and my ssh key has already been added with ssh-add).

[username@laptop ~]$ ssh server.example.com 
Authenticated with partial success.
username@server.example.com's password: 
Last login: Sat Jan 11 18:00:00 2014 from laptop.example.com
[username@server ~]$

For more information please have a look at

  • https://code.google.com/p/yubico-pam/wiki/ReadMe
  • https://fedoraproject.org/wiki/Using_Yubikeys_with_Fedora

Good luck and please contact me or write a comment if you have any questions.

Update 2015-01-31: Updated to Fedora 21 recently and found that I hade missed to add

setsebool -P authlogin_yubikey true