Lately, I've been exploring the world of Yubikeys and discovering various ways to integrate them into my devices. If you're interested in using Yubikeys for SSH authentication, this quick guide will walk you through the setup process on Ubuntu.
Step 1: Obtain Yubico API Key
Before diving into the setup, you'll need to obtain an API key from Yubico. Thankfully, Yubico makes this process straightforward. Simply visit the following link to acquire your API key: Yubico API Key
Step 2: Install Required Packages
Ensure that your system has the necessary packages installed to enable Yubikey authentication.
sudo apt install libpam-yubico
Step 3: Update sshd_config
Using your preferred text editor, navigate to /etc/ssh/sshd_config and make the necessary modifications to enable Yubikey authentication. Add or modify the following lines to reflect the changes:
| KbdInteractiveAuthentication yes |
| ChallengeResponseAuthentication yes |
| PasswordAuthentication yes |
| UsePAM yes |
...
Save the changes and exit the editor once you're done.
Step 4: Update pam.d sshd
Utilizing the Client ID and Secret key obtained from Yubico, update the pam.d configuration file for sshd. Add the required information at the top of the file.
auth required pam_yubico.so id=<Client ID> key=<Secret Key> authfile=/etc/yubikey_mappings mode=client
Save the changes and exit the editor.
Step 5: Create Yubikey Authfile
This file will specify the users and associated keys for authentication. Create the authfile and populate it with the necessary user-key mappings. Refer to the example provided in the guide for guidance on formatting.
Step 6: Restart Service
Once all configurations are in place, restart the SSH service to apply the changes. It's important to note that you should not close your current session after this step. Consider opening another terminal to test the authentication process and avoid locking yourself out.
Step 7: Testing
To ensure that everything is functioning correctly, attempt to SSH into your server. You should be prompted to enter both your Yubikey and password for authentication.
Conclusion
While this tutorial demonstrates setting up Yubikey authentication alongside password verification, it's worth noting that individual preferences and security needs may vary. If you prefer to authenticate solely with Yubikey and eliminate password authentication entirely, you can achieve this by adjusting the settings in your sshd configuration accordingly.
0 comments:
Post a Comment