Yubikey OTP on debian

Software & Operating Systems Linux
,
1

Hi,
I just got a yubikey 4 and I want to use it as a 2fa on debian servers.
I followed doccumentation online but even with howto guides, nothing worked.

I know that the yubikey configuration is correct, I can test the OTP on their online test setup…
I got the API key and the secret after the AES key was uploaded to their servers.
but if I follow the official guide on their website, I get:
-no yubikey required for login
-impossible to log in

it depends of the config files

those are :

http://dieu.pro/yubico/sshd
and
http://dieu.pro/yubico/sshd_config

the /.yubico/authorized_yubikeys already exist and is configured.

Help please

1 Like
2

Have you considered the problems with adding a callout for shell logins vs keeping your private keys on the Yubikey?

It’s not clear what both your factors are, OTP+SSH keys?

SSH config is missing a ‘AuthenticationMethods’ which would have an effect if your using SSH keys

@include common-auth << try commenting this out, your replacing pam_unix.so with the next line

#auth required pam_yubico.so id=16 debug << uncomment

you can also look at using pam_unix on the next line as ‘sufficient’ as a backup

auth.log may have useful info if the pam module itself is failing

3

I’m not using ssh keys right now…

I planned to add those later.
right now, I want to connect true SSH with a password and the yubikey OTP (wich I setup in quick setup in the personalization tool)

I want to use the yubikey only on two admin’s accounts because I have clients that are running ssh on that server without keys and 2fa.

I tried out with uncommenting @include common-auth and also #auth required pam_yubico.so id=16 debug

I ran in the same problems. Password only wasn’t working anymore and if password+yubikey, it’s the same result. Cannot login

4

I just added ssh keys.

5

Now that I added keys, it ask anything to log in with default settings. wich is good. but when I add the OTP, it’s the same… .not needed

6

Shooting in the dark here, but assuming you want a password + physical tap on yubikey, don’t you need a pam module for that on the server side?

Have you tried running ssh with -vvv added to see where the authentication method exchange is going wrong

7

Well, now that I have a ssh key, I can login without password or yubikey… and if I add the rule to need the yubikey for sudo, same problem… impossible to authenticate