SSH Two-Factor auth (2FA) with a yubikey

Question

I have got this slick little yubikey and I want to add an additional layer of security when authenticating ssh sessions. On the server side I've already disabled password authentication and only permit the use of ssh keys when logging in.

The problem is, after configuring sshd and PAM for yubikey auth, sshd still only requires an ssh key, I'm never asked to provide a response from the yubikey.

How do I require both and ssh key and a yubikey?

(ubuntu 14.04 - trusty)

/etc/pam.d/common-auth:

auth    required    pam_yubico.so mode=client try_first_pass id=<id> key=<secret>
auth    [success=1 default=ignore]  pam_unix.so nullok_secure try_first_pass
# here's the fallback if no module succeeds
auth    requisite           pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth    required            pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth    optional            pam_cap.so
# end of pam-auth-update config

/etc/ssh/sshd_config:

...

PasswordAuthentication no
ChallengeResponseAuthentication yes
UsePAM yes

Answer 1

Ok, I kept at it and I think I've come up with a reasonable solution. The primary thing I was previously missing was sshd's AuthenticationMethods publickey,password. This enforces the requirement for both a publickey and a password -- "password"s now being handled by PAM->auth-yubi. Additional changes were also needed, see below:

(ubuntu 14.04 - trusty):

/etc/pam.d/yubi-auth

auth    required pam_yubico.so mode=client try_first_pass id=<id> key=<key>

Note: you can obtain your access ID and secret key here

/etc/pam.d/sshd

# Standard Un*x authentication.
#@include common-auth

# Yubikey auth
@include yubi-auth

/etc/ssh/sshd_config

UsePAM yes
ChallengeResponseAuthentication no
AuthenticationMethods publickey,password
PasswordAuthentication yes

service ssh restart

Verification

SSH from a remote host without a public key

root@0a6442bcb21c:/# ssh ben@192.168.1.20
The authenticity of host '192.168.1.20 (192.168.1.20)' can't be established.
ECDSA key fingerprint is ea:2a:e3:98:35:72:66:b1:e0:65:6b:3f:60:8a:af:ab.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.20' (ECDSA) to the list of known hosts.
Permission denied (publickey).

SSH from a remote host with a public key

$ ssh ben@192.168.1.20
Authenticated with partial success.
ben@192.168.1.20's password:
Welcome to Ubuntu 14.04.3 LTS (GNU/Linux 3.19.0-33-generic x86_64)

Improvement

It would be nice to see "Yubikey Auth:" instead of "password:" from the remote ssh server when authenticating.

What happens when the ssh server is unable to contact yubico's auth verification system? An ideal solution would be entirely self-contained.

Comments and suggestions appreciated.

Answer 2

Setting up 2FA with Yubikey can be tricky (thought there is openssh patch for U2F), but the easiest way is probably the one described on Yubico official website.

It is basically the way of storing your private key on the Yubikey and protecting it with PIN. It is not exactly the 2FA you are described (but it is something what you have and and what you know), but it increases the security even more (Yubikey locks after some unsuccessful tries).

TL:DR;

OPENSC_LIBS=`locate opensc-pkcs11.so`
yubico-piv-tool -s 9a -a generate -o public.pem
yubico-piv-tool -a verify-pin -P 123456 -a selfsign-certificate -s 9a \
  -S "/CN=SSH key/" -i public.pem -o cert.pem
yubico-piv-tool -a import-certificate -s 9a -i cert.pem
ssh-keygen -D $OPENSC_LIBS/opensc-pkcs11.so -e
ssh -I $OPENSC_LIBS/opensc-pkcs11.so user@remote.example.com