Monday, April 1, 2024

How to Setting Yubikey Authentication on Ubuntu

 Lately, I've been exploring the world of Yubikeys and discovering various ways to integrate them into my devices. If you're interested in using Yubikeys for SSH authentication, this quick guide will walk you through the setup process on Ubuntu.

Step 1: Obtain Yubico API Key

Before diving into the setup, you'll need to obtain an API key from Yubico. Thankfully, Yubico makes this process straightforward. Simply visit the following link to acquire your API key: Yubico API Key

Step 2: Install Required Packages

Ensure that your system has the necessary packages installed to enable Yubikey authentication.

sudo apt install libpam-yubico

Step 3: Update sshd_config

Using your preferred text editor, navigate to /etc/ssh/sshd_config and make the necessary modifications to enable Yubikey authentication. Add or modify the following lines to reflect the changes:

KbdInteractiveAuthentication yes
ChallengeResponseAuthentication yes
PasswordAuthentication yes
UsePAM yes


Save the changes and exit the editor once you're done.

Step 4: Update pam.d sshd

Utilizing the Client ID and Secret key obtained from Yubico, update the pam.d configuration file for sshd. Add the required information at the top of the file.

auth required id=<Client ID> key=<Secret Key> authfile=/etc/yubikey_mappings mode=client

Save the changes and exit the editor.

Step 5: Create Yubikey Authfile

This file will specify the users and associated keys for authentication. Create the authfile and populate it with the necessary user-key mappings. Refer to the example provided in the guide for guidance on formatting.

Step 6: Restart Service

Once all configurations are in place, restart the SSH service to apply the changes. It's important to note that you should not close your current session after this step. Consider opening another terminal to test the authentication process and avoid locking yourself out.

Step 7: Testing

To ensure that everything is functioning correctly, attempt to SSH into your server. You should be prompted to enter both your Yubikey and password for authentication.


While this tutorial demonstrates setting up Yubikey authentication alongside password verification, it's worth noting that individual preferences and security needs may vary. If you prefer to authenticate solely with Yubikey and eliminate password authentication entirely, you can achieve this by adjusting the settings in your sshd configuration accordingly.


Post a Comment