Two Factor SSH Authentication with Yubico Yubikeys on SmartOS

By Alasdair Lumsden on 18 Jan 2013

Two factor authentication is a method of increasing the security of logging into a service (such as logging into a website or to your computer), by typically requiring "something you know" combined with "something you have". The idea here is that an attacker can’t get in unless they have both elements, meaning in addition to sniffing your password, they’d have to physically mug you too.

Traditionally, Two Factor authentication has been achieved using an expensive corporate solution such as RSA SecureID tokens (pictured above). These are a bit outside the reach of individuals or small businesses.

Thankfully, Yubico popped up with a fantastic product called the Yubikey that generates one-time-passwords (OTP) via an innovative USB Key. These one time passwords are cryptographically secure and unique to your key. When you go to log in to a service secured with Yubikey, you simply touch your Yubikey and it generates the OTP, which gets authenticated via Yubico’s server. If it’s correct, it lets you in. Combine this with the service asking you for a password (something you know), and you’ve got two-factor authentication.

A keyfob Yubikey

They’re incredibly cheap, at around $25-$40 each. They come in a bunch of flavours, my favourite being the Nano edition, which is absolutely tiny and fits flush in your usb port, with just a tiny bit poking out for you to touch to authenticate. One nice feature of the Yubikey is that it presents itself as a simple USB Keyboard, and thus works with any Operating System out there.

Yubikeys can be used with an awful lot of services, including the browser plugin LastPass, which securely stores all your frequently used website passwords (I highly recommend using LastPass if you’re not already – it’s far more secure than using the same password for every website).

We’ve now added out of the box support for Yubikeys to our SmartOS package repo ec-userland, allowing you to do two-factor authentication to log into your server (or just log in with the Yubikey itself). To set this up (once you’ve bought and received your Yubikey), there are three bits – getting a Yubico API account, configuring PAM, and configuring SSH.

Getting your Yubico API Key

The Yubikey PAM configuration guides talk a lot about the “Client ID” and “Client Key”, this is referring to your API id and key. You can get this by visiting:

You’ll need to enter your email address, and touch your Yubikey in the "YubiKey one-time password" field.

This gives you two things back, your Client ID and your Secret Key.

Installing the module and configuring PAM

To install the Yubikey PAM module, simply run:

pkg install -v library/security/yubico/yubico-pam

Then edit the /etc/pam.conf file, and place the following at the bottom:

sshd    auth requisite          /ec/lib/security/ authfile=/etc/yubikey_mappings id=XXXX key=YYYY
sshd    auth requisite

Change the XXXX to your Client ID from above, and YYYY to your Secret Key.

The requisite keyword makes the method mandatory, and generates an immediate termination of the login process on failure. There are other options such as sufficient or required, see "man pam.conf" for more PAM options, and the yubico-pam module README for options specific to

Next, edit the /etc/yubikey_mappings file, where you map Unix accounts to Yubikey IDs (the ID of your Yubikey itself). Your Yubikey ID is the first 12 characters of your OTP, so you just open a text editor, touch your Yubikey, and copy the first 12 characters. The file looks like:

alasdair: xxxxxxxxxxxx,xxxxxxxxxxxx
bob: xxxxxxxxxxxx

That’s pretty much it as far as yubikey configuration goes.

Setting up SSH

On the EveryCity ec-userland based SmartOS images, we use OpenSSH rather than SunSSH, so this guide is for OpenSSH. You will need to edit /ec/etc/ssh/sshd_config and ensure the following are set:

PasswordAuthentication no
ChallengeResponseAuthentication yes
UsePAM yes

UsePam ensures that OpenSSH uses PAM, and "PasswordAuthentication no" ensures OpenSSH doesn’t prompt for a password separately to PAM (which has its own password prompting). ChallengeResponseAuthentication allows the use of the Yubikey.

You may also want to set "PubkeyAuthentication no", as unfortunately OpenSSH treats the presence of a public key as sufficient to grant login, regardless of the PAM configuration.

Edit (2013-07-11): OpenSSH 6.2 introduced a new option called "AuthenticationMethods" which lets you set multiple methods that are required to let you in. To get two factor authentication with SSH Keys + Yubikey you can simply set:

AuthenticationMethods publickey,keyboard-interactive

Then in pam.conf you can remove the line if you don’t want to be prompted for a password in addition to the yubikey. Very nice :-)

If all goes well, you should be able to log in:

Good luck, and if you have any questions, let me know!