Learn about enhancing your SSH login security with YubiKey, a robust two-factor authentication method using a USB security token for one-time password generation and seamless integration.
Instead of codes generated by a smartphone, you can use a security token, which looks like a USB flash drive, as a second factor in SSH login. Among other functions, the device simulates keyboard input as soon as you press a touch-sensitive button. (The computer to which the security token is connected regards the token as a USB keyboard.)
The string (which is intended as a one-time password [OTP]) consists of two parts: The first 12 characters always remain the same and are, in a sense, the public part of the key. The remaining characters are the actual password, which changes every time.
The string is generated based on a nonreadable key. Together with a symmetric key, which you can determine on the token manufacturer’s website, it’s possible to check whether a string matches your token.
We conducted our tests with the YubiKey 5 NFC model from Yubico. Comparable devices are also available from other providers, including Google (Titan Security Key).
To enable verification of your YubiKey one-time passwords, you’ll need to generate a key at https://upgrade.yubico.com/getapikey. For this purpose, you must enter your email address and fill in another input field by touching the YubiKey. The website responds with an ID and the API key, both of which you’ll need for the configuration of the YubiKey PAM module.
PAM Configuration
On the machine running the SSH server, you must install the yubico PAM module. For Ubuntu, Yubico provides a package source:
add-apt-repository ppa:yubico/stable
apt update
apt install libpam-yubico
For RHEL, there’s a suitable package in the EPEL package source:
dnf install pam_yubico
To make sure the PAM module will be used, you must add the following statement to the end of /etc/pam.d/sshd in a single line and without the \ character:
# at the end of /etc/pam.d/sshd in a long line
auth required pam_yubico.so id=12345 key=apikey \
authfile=/etc/yubikey-mappings mode=client
Here, you replace 12345 with your ID and apikey with your API key. Both data originate from the website mentioned previously.
Mapping File
For all users whose logins are to be verified via YubiKey, the Linux account name and the first 12 characters of the one-time password must be specified in a mapping file. You specify the location of this file during the PAM configuration:
# File /etc/yubikey-mappings
michael:ccccnixgfask
peter:ccgsdkgalfja
...
Make sure that you really specify exactly 12 characters and that you don’t include any spaces before or after the colon! If you have multiple YubiKeys that you choose to use, the syntax is name:key1:key2:key3 and so on.
SSH Configuration
Finally, you only need to adjust the configuration of the SSH server so that the new authentication procedure will actually be used. You can do this in a similar way to using Google Authenticator. In the following listing, however, 2FA is not activated in general, but only for selected accounts:
# /etc/ssh/sshd_config
# Change existing setting
UsePAM yes
ChallengeResponseAuthentication yes
# add at the end
Match User michael,peter
AuthenticationMethods keyboard-interactive
Before you activate the changes via systemctl reload sshd and then try them out, you should make sure that an active SSH connection to the server is always maintained. Otherwise, you’ll run the risk of locking yourself out in the event of a configuration error.
An SSH login to your server should now work as follows:
ssh peter@a-company.com
Password: ********** (regular password,
Input via keyboard)
YubiKey for 'peter': ************ (OTP, input by
touching the YubiKey)
No Login without a Yubico Server
We want to make one more point here: every time you log on, pam_yuboci contacts a server from Yubico and verifies that the OTP you provide actually matches your token. At the same time, the test prevents an OTP from being used more than once. You can find more technical background information on the procedure at https://developers.yubico.com/OTP/OTPs_Explained.html.
Yubico currently operates five OTP servers that are distributed around the world to ensure a relatively high level of redundancy. However, if these servers suddenly become unavailable due to a technical glitch, hacking attack, or network problem, you will no longer be able to log on. In this respect, it’s a good idea to not activate 2FA for all accounts of a server; leave a—less secure—emergency account with a normal login.
Editor’s note: This post has been adapted from a section of the book Hacking and Security: The Comprehensive Guide to Penetration Testing and Cybersecurity by Michael Kofler, Klaus Gebeshuber, Peter Kloep, Frank Neugebauer, André Zingsheim, Thomas Hackner, Markus Widl, Roland Aigner, Stefan Kania, Tobias Scheible, and Matthias Wübbeling.
Comments