OpenSSH >= 6.2 supports “multi factor authentication” which is to say you can require multiple forms of identification to complete authentication for the SSH connection.
A real world comparrison would be I suppose providing more than one form of identification to open a bank account.
OpenSSH 6.2 introduces the AuthenticationMethods setting; this combined with pam_yubico can be used to require that the connections provides both the SSH public key and the yubikey O.T.P (One time password).
So we’re going to combined this combination such that we attain the following:
- SSH Connections will require pubkey authentication
- SSH Connections will also require yubikey authentication
- The above will be applied to specified users via the Match Group clause
To be clear if the connection does not provide a valid public key for the user; it will never reach the yubikey prompt stage; also if the provided yubikey OTP is invalid authentication will also fail.
Install the pam_yubico package:
sudo yum -y install pam_yubico
At the end of your /etc/ssh/sshd_config add the following:
1 2 3
You will also need to set
ChallengeResponseAuthentication yes in your sshd_config file.
The above is the bare minimum you can add any additions you wish; and restart sshd.
Create the file /etc/pam.d/yubi-auth with the content
Note: I am specifying the URL as the default will use http and not https despite what the documentation might say.
Create the file: /etc/ssh/yubikey_mappings with the content:
You can get your yubikey identity from demo.yubicloud.com
Edit /etc/pam.d/sshd so that the first lines read:
And finally create a user in your group, in this case we’re using the mfagroup.
useradd -g mfagroup -s /bin/bash username and install their public ssh key in /home/username/.ssh/authorized_keys, ensuring proper permissions.
All being well when you try to login with the user you should see the following:
And you have sucessfully setup two factor ssh authentication with public keys.