I have a server that I can access from parts of the internet (firewalled with an external firewall) to manage my home environment. For security reasons I want to use both a Yubikey in addition to the regular publickey to login via SSH. The Yubikey should only be used when logging in as a regular user. Access from specified hosts on the local network as root should only be protected by publickey authentication for automated actions like backups by rsnapshot to work. Tools that can't use Yubikey at the moment (if you have any tips on securing those types of connections please add a comment below or send me a message).
I did the configuration a couple of days before writing this blog post and hopefully I've remembered all of the steps needed below so that others can use this post to get started.
First we have to install the pam module for Yubikey on Fedora:
yum install pam_yubico
Disclaimer: I've found that Fedora at the time of writing has version 2.13 installed but there is a newer version available (2.14)
Next step is to create a authorized_yubikeys file which is similar to ssh authorized_keys file. You have to change vvxxxxxxxxxx to your Yubikey token ID (first twelve characters in a OTP).
mkdir ~/.yubico echo $USER:vvxxxxxxxxxx > ~/.yubico/authorized_yubikeys #If you have selinux enabled chcon -R system_u:object_r:ssh_home_t:s0 ~/.yubico
Then you have to register a client ID for your server at https://upgrade.yubico.com/getapikey/ which you need to enter in the pam configuration.
To enable Yubikey in pam for ssh change the following in /etc/pam.d/sshd.
auth required pam_sepermit.so auth sufficient pam_yubico.so id=<your id> url=https://api.yubico.com/wsapi/2.0/verify?id=%d&otp=%s key=<your key> #auth substack password-auth
In sshd_config you have to make the following changes at the end of the file.
PasswordAuthentication yes PermitRootLogin no AuthenticationMethods publickey,password Match User root, Address 192.168.X.Y/32,192.168.S.T/32 AuthenticationMethods publickey PermitRootLogin yes
And now you should be able to login after a restart of sshd (systemctl restart sshd.service). The output should be similar to the one below (the password should be your Yubikey OTP and my ssh key has already been added with ssh-add).
[username@laptop ~]$ ssh server.example.com Authenticated with partial success. firstname.lastname@example.org's password: Last login: Sat Jan 11 18:00:00 2014 from laptop.example.com [username@server ~]$
For more information please have a look at
Good luck and please contact me or write a comment if you have any questions.
Update 2015-01-31: Updated to Fedora 21 recently and found that I hade missed to add
setsebool -P authlogin_yubikey true