As we talked about recently, a Yubikey can be used to add a layer of physical security to any remote access (applications, servers) but also sometimes hardware (a telephone, for example).
Today we’re going to look at how to secure SSH access to a server using a Yubikey.
In my case, it’s useful because I have two work computers, and I may also want to access my servers from third-party computers. We know that the simple use of a password is not really recommended. I’m left with the option of a pair of keys, but that involves carrying them around and the risk of them being copied. So I took the 2FA option for password authentication with a Yubikey.
Client ID and Secret Key
To start with, you need to generate a client ID and a Secret Key using the Yubico API. Go to this page https://upgrade.yubico.com/getapikey/. Simply enter your e-mail address and generate an OTP code by activating the Yubikey. Save the Client ID and Secret Key in a safe place.
Yubico Library
Next you need to access your server and install the Yubico library for authentication and API requests
sudo apt-get install libpam-yubico
Next, edit the sshd file:
sudo nano /etc/pam.d/sshd
And under the @include common-auth line add
auth required pam_yubico.so id=CLIENT-ID key=SECRET-KEY url=https://api.yubico.com/wsapi/2.0/verify?id=%d&otp=%s
Create a user/Yubikey link
The principle is well known: all you have to do is create a link between each user and one or more Yubikeys. The difference here is that the information must be stored in ~/.yubico/authorized_yubikeys.
If, like me, you’re running Mac or Linux, plug in your key and copy the following line into a terminal to retrieve your key ID:
read -p "Enter a YubiKey OTP: " s && echo 'The key id is' ${s:0:12}
On the server side, let’s create the necessary directory and file :
mkdir ~/.yubico
nano ~/.yubico/authorized_yubikeys
And let’s make the link between a user and its key (in the example we give two keys):
user:KEY1vvukdhrugthk:KEY2vvkdtgbdarcx
Finally, we relaunch with a good old service sshd reload
Keep your terminal open and open a second connection to your server. You’ll be asked for a password and then a code generated by your Yubikey.