There is a point to this story, but it has temporarily escaped my mind...
Contact Me MyFaceBook MyLinkedIn MyGitHub MyTwitter

Enable Yubikey Two-Factor Authentication for SSH

cd ~
mkdir .yubico
sudo aptitude install autoconf libtool libusb-1.0-0-dev libcurl4-openssl-dev libpam-dev
sudo aptitude install build-essential

wget https://github.com/Yubico/yubico-c-client/tarball/master
tar zxvf master
cd Yubico-yubico-c-client-*
sudo autoreconf --install
sudo ./configure
sudo make
sudo make install
cd ..
/bin/rm master


wget https://github.com/Yubico/yubico-c/tarball/master
tar zxvf master
cd Yubico-yubico-c-*
sudo autoreconf --install
sudo ./configure
sudo make
sudo make install
cd ..
/bin/rm master


wget https://github.com/Yubico/yubikey-personalization/tarball/master
tar zxvf master
cd Yubico-yubikey-personalization-*
sudo autoreconf --install
sudo ./configure
sudo make
sudo make install
cd ..
/bin/rm master


wget https://github.com/Yubico/yubico-pam/tarball/master
tar zxvf master
cd Yubico-yubico-pam-*
sudo autoreconf --install
sudo ./configure
sudo make
sudo make install
cd ..
/bin/rm master


# Get an API key and passwd from https://upgrade.yubico.com/getapikey/
sudo nano /etc/pam.d/sshd # Find PAM configuration and add:
auth required pam_yubico.so id= key= debug


sudo nano /etc/pam.d/common-auth
# add "debug try_first_pass" to end of auth string


sudo nano /etc/ssh/sshd_config
# ensure PasswordAuthention yes and ChallengeResponseAuthentication no

sudo mv /usr/local/lib/security/pam_yubico.so /lib/security

nano ~/yubico/authorized_yubikeys
# The Yubikey id is the first 12 characters of a one-time-password generated by the Yubikey.
# syntax: username:12-char-yubikey-id

sudo touch /var/run/pam-debug.log
chmod go+w /var/run/pam-debug.log
sudo service ssh restart
Copyright © 2015 by Julian Easterling. SOME RIGHTS RESERVED.

Creative Commons License
Except where otherwise noted, content on this site is
licensed under a Creative Common Attribution-Share Alike 4.0 International License.


All of the opinions expressed on this website are those of Julian Easterling and
do not represent the views of any of my current and previous clients or employers in any way.

If you notice an error on the site or content that has not been properly attributed, bring
it to my attention using the contact page and I will endeavor to fix it as soon as I can.

I accept no responsibility or liability for any damages incurred by following any of
my advice or by using any of the information on my site or of those sites that I link to.