A Yubikey allows you to add a physical security layer for any remote access (applications, servers, SaaS. We will see today how to secure an SSH access to a server with a Yubikey. In my case the reason is that I have two professional computers, and that I may want to access my servers from other computers. We know that the simple use of a password is really not recommended. I still have the option of a RSA key pair, but that implies carrying it around and the risk of it being copied. So I took the 2FA option for a password authentication with a Yubikey.

Client ID and Secret Key

To start, you’ll have to generate a client ID and a Secret Key using the Yubico API. Go to this page https://upgrade.yubico.com/getapikey/. You just have to fill in your email address and generate an OTP code by activating the Yubikey. Save the Client ID and the Secret Key in a safe place.

Yubico Library

You have to access your server and install the Yubico library allowing authentication and API requests

sudo apt-get install libpam-yubico

Then we edit the sshd file :

sudo nano /etc/pam.d/sshd

Under the line @include common-auth we add

auth required pam_yubico.so id=CLIENT-ID key=SECRET-KEY url=https://api.yubico.com/wsapi/2.0/verify?id=%d&otp=%s

Make a user/Yubikey link

The method is well known, you just have to link each user to one or several Yubikeys. The difference is that here the information must be stored in ~/.yubico/authorized_yubikeys

If like me you are on Mac or Linux, plug your key and in a terminal copy the following line to get the ID of your key:

read -p "Enter a YubiKey OTP: " s && echo 'The key id is' ${s:0:12}

On the server side, let’s create the directory and the necessary file :

mkdir ~/.yubico
nano ~/.yubico/authorized_yubikeys

And let’s make the link between a user and his key (in the example we give two keys):

root:vvukdhrugthk:vvkdtgbdarcx

Finally we reload with a good old sshd reload service
Keep your terminal open in case it fails and open a second connection to your server. You will be asked for a password and then a code generated by your Yubikey.