#Linux #2fa #google-authenticator #debian #ubuntu

Yubikeys are a great way to secure your ssh accounts with 2FA. One Problem is that, if you don’t want to buy 2 (or more) of them, you need a backup solution. Because if you lose or break your Yubikey, you are locked out. So this howto describes how to activate Yubikey as 2FA for ssh on Debian or Ubuntu (works probably in a similar way on every other distro, but not tested) with Google authenticator as backup method.

I assume that you have already activated public key login, if you didn’t: do it!

If you don’t want to setup your own Yubico Authentication Server, you need to get your key here: Yubico API Key signup

First, and this is very important: Login via SSH and don’t close that connection before you verified that everything is running. If something doesn’t work, you are locked out without an active session.

Install these packages:

 

# apt-get install libpam-yubico libpam-google-authenticator ntp

 

Its very important that you don’t forget ntp. OTPs with Yubikey and Google Authenticator are time-based. If your server time gets out of sync, you are locking yourself out. This is especially tricky because at first it might work, but if the time gets async over time, it stops working and you have a problem.

Then you need to edit /etc/ssh/sshd_config and change

 

ChallengeResponseAuthentication no

 

to

 

ChallengeResponseAuthentication yes

AuthenticationMethods publickey,keyboard-interactive

 

Edit /etc/pam.d/sshd so it looks like this in the beginning of the file:

 

# Standard Un*x authentication. 
#@include common-auth 

# Disallow non-root logins when /etc/nologin exists. 
account required pam_nologin.so 

#YUBIKEY & Gauth 
auth [success=done new_authtok_reqd=ok default=ignore] pam_yubico.so try_first_pass id=<ID> debug 
auth required pam_google_authenticator.so nullok 
#auth required pam_unix.so nullok

 

Make sure that the last 3 lines start with “auth”, it might look different here depending on your screen size. The <ID> is the key id you’ve got from the yubico signup page.

Now you have to create a file with the format

 

username:KEY

 

“username” is your linux user which you want to secure, “KEY” is your yubikey identity. If you don’t know what that is, just print a one time password in a text editor by pushing the button on your yubikey for 3 seconds and copy the first 12 characters.

Save that file to /home/$username/.yubico/authorized_yubikeys

Now you have to run the google authenticator to create your keys. Run it as the user you want to secure:

 

# google-authenticator

 

Now add the key to your google authenticator (or similar) app.

Time to test the new configuration! Reload the ssh daemon:

 

# systemctl reload ssh

 

If everything is working as it should, you should get a request for your Yubikey on your next ssh login:

 

YubiKey for `$username’:

 

Push your Yubikey for 3 seconds and you should be logged in.

Logout and login again, now enter a random Yubikey (or no key at all):

 

YubiKey for `$username’:
Verification code:

 

You are now being asked to enter the OTP from google authenticator as alternative and still able to login.