SSH and sudo with Yubikey
Hi.
Recently, we've configured our servers to require SSH keys and Yubikeys during SSH and password and Yubikey when using sudo. I'm looking for some feedback and experience with this kind of setup.
We did it like this:
- Install pam_yubico from epel-release
- Configured /etc/pam.d/sshd` to include the following:
auth required pam_yubico.so id=API_ID authfile=/etc/yubikeys
and removed the following:auth substack password-auth
- Configured $user:$key-id in /etc/yubikeys
- Made the following changes in /etc/ssh/sshd_config and restarted the service:
ChallengeResponseAuthentication yes Match User ,,<...> AuthenticationMethods publickey,keyboard-interactive
- Included the following in /etc/pam.d/sudo:
auth required pam_yubico.so id=API_ID authfile=/etc/yubikeys
-
Hey hey! That would be an issue for our support team. I'm wondering if the best option would be to temporarily disable that extra security restriction in the event you need to submit a ticket to us. Hopefully you don't need tickets too frequently as I hope things work well, but since that is required in the PAM configuration, I don't see another way around it. 0 -
Thanks for your reply, @cPRex! That was my tought as well. The only issue is remembering to enable it again once the ticket has been solved lol. 0 -
That *is* the trick, and it's the one part I can't help with, unfortunately. 0
Please sign in to leave a comment.
Comments
3 comments