As we talked about recently, a Yubikey can be used to add a layer of physical security to any remote access (applications, servers) but also sometimes hardware (a telephone, for example).

Today we’re going to look at how to secure SSH access to a server using a Yubikey.

In my case, it’s useful because I have two work computers, and I may also want to access my servers from third-party computers. We know that the simple use of a password is not really recommended. I’m left with the option of a pair of keys, but that involves carrying them around and the risk of them being copied. So I took the 2FA option for password authentication with a Yubikey.

Client ID and Secret Key

To start with, you need to generate a client ID and a Secret Key using the Yubico API. Go to this page https://upgrade.yubico.com/getapikey/. Simply enter your e-mail address and generate an OTP code by activating the Yubikey. Save the Client ID and Secret Key in a safe place.

Yubico Library

Next you need to access your server and install the Yubico library for authentication and API requests

sudo apt-get install libpam-yubico

Next, edit the sshd file:

sudo nano /etc/pam.d/sshd

And under the @include common-auth line add

auth required pam_yubico.so id=CLIENT-ID key=SECRET-KEY url=https://api.yubico.com/wsapi/2.0/verify?id=%d&otp=%s

Create a user/Yubikey link

The principle is well known: all you have to do is create a link between each user and one or more Yubikeys. The difference here is that the information must be stored in ~/.yubico/authorized_yubikeys.

If, like me, you’re running Mac or Linux, plug in your key and copy the following line into a terminal to retrieve your key ID:

read -p "Enter a YubiKey OTP: " s && echo 'The key id is' ${s:0:12}

On the server side, let’s create the necessary directory and file :

mkdir ~/.yubico
nano ~/.yubico/authorized_yubikeys

And let’s make the link between a user and its key (in the example we give two keys):

user:KEY1vvukdhrugthk:KEY2vvkdtgbdarcx

Finally, we relaunch with a good old service sshd reload

Keep your terminal open and open a second connection to your server. You’ll be asked for a password and then a code generated by your Yubikey.

Get your Yubikey !