Using Yubikey as your Two-Factor-Authentication for SSH


I ordered last week my own OTP token YubiKey. An alternative is possibly SweKey, but after lots of reading on both sites I came across their Security Evaluation. In the end I just found YubiKey friendlier.

So it arrived already a few days after I ordered, despite their statement that it is sent from the US, and it was infact sent from UK. I just finished setting my token up with Two-Factor-Authentication for SSH access and it works really well.

It actually supports any two of the three autentication mechanisms:

  1. Standard YubiKey 44 character one time pass code.
  2. OATH 6 or 8 digit one time password
  3. 1-44 character static pass code

Reading about OATH and remember that I actually have never seen it somewhere being used, made the decision quite quick, I just need to setup a static pass code – just in case. Watching the video on here was quite beneficial and made it quite easy to use their Personalization Tool.

So I kept pressing and kept looking at the generated OTP tokens… they look really neat:

cccccccaurjbdlkbrelinhnbuuhljilrkehdcvfecjuc

and so forth.

So now to the interesting bit, using YubiKey OTP or SSH authentication. The necessary “generation of some binary data” for my system was nicely described on here, I just used the latest software versions.

So logging in by SSH with an OTP token works pretty nice. But I also wanted to have two-Factor-Authentication with it.  Some changes to PAM as described on here sorted this last issue.

Next stage is then to use this on my OpenID configuration, as my OpenID provider CummunityID gives me YubiKey support. Which is even neater.

facebooktwittergoogle_plusredditlinkedinmail

Leave a comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Notify me of followup comments via e-mail. You can also subscribe without commenting.