This is a quick tutorial on how to setup yubikey auth for SSH login in Ubuntu and Debian.

  1. Prerequisites

sudo apt-get install libpam-yubico libykclient3

  1. Check installation
    Make sure ls -la /lib/security/ exist.

  2. Linking user to yubikey
    edit/create /etc/yubikey_mappings file and add:


ubuntu is username and ccccccbdefgh is yubikey ID. If this ssh-like approach does not work for you, see this for alternatives.

  1. Edit pam.d config file /etc/pam.d/sshd
    add (at the beginning):

auth required id=2458 key=ure8aX7mdExlmO0q44idqEICIuE= url=

If you use required option: user’s account password has to be set and typed with yubikey upon login (i.e. two factor auth).
If sufficient is used: user’s account password is not required (i.e. one factor auth).
Get your own API ID and KEY, the values in the example above are faked.

  1. Edit sshd config file /etc/ssh/sshd_config

PermitEmptyPasswords no ChallengeResponseAuthentication yes UsePAM yes

a. One factor auth – yubikey only, passwords disabled is sufficient and:

PasswordAuthentication no

b. One factor auth – yubikey OR password is sufficient and:

PasswordAuthentication yes

c. Two factor auth – yubikey AND password is required and:

PasswordAuthentication yes

  1. Restart sshd
8. Test if it works.