This is a quick tutorial on how to setup yubikey auth for SSH login in Ubuntu and Debian.

  1. Prerequisites

sudo apt-get install libpam-yubico libykclient3

  1. Check installation
    Make sure ls -la /lib/security/pam_yubico.so exist.

  2. Linking user to yubikey
    edit/create /etc/yubikey_mappings file and add:

ubuntu:ccccccbdefgh

ubuntu is username and ccccccbdefgh is yubikey ID. If this ssh-like approach does not work for you, see this for alternatives.

  1. Edit pam.d config file /etc/pam.d/sshd
    add (at the beginning):

auth required pam_yubico.so id=2458 key=ure8aX7mdExlmO0q44idqEICIuE= url=http://api.yubico.com/wsapi/2.0/verify?id=%d&otp=%s

If you use required option: user’s account password has to be set and typed with yubikey upon login (i.e. two factor auth).
If sufficient is used: user’s account password is not required (i.e. one factor auth).
Get your own API ID and KEY, the values in the example above are faked.

  1. Edit sshd config file /etc/ssh/sshd_config

PermitEmptyPasswords no ChallengeResponseAuthentication yes UsePAM yes

a. One factor auth – yubikey only, passwords disabled
pam_yubico.so is sufficient and:

PasswordAuthentication no

b. One factor auth – yubikey OR password
pam_yubico.so is sufficient and:

PasswordAuthentication yes

c. Two factor auth – yubikey AND password
pam_yubico.so is required and:

PasswordAuthentication yes

  1. Restart sshd
8. Test if it works.