Unix PAM: ssh authentication with Yubico OTP and Google Authenticator

Login should be done with 2FO. My preferred way is to use my YubiKey.

As a fallback I want to use the Google Authenticator. It is needed when you need to use a ssh client on the phone for example.

Hardware

YubiKey Editions
Standard, Edge or NEO are usable for PAM OTP authentication. The cheaper U2F only security key will not work.

YubiKey Slot 2 configuration

download YubiKey Personalization Tool and start it
configure Yubico OTP
Quick
select slot 2
Regenerate
write configuration
Upload to Yubico

remote host configuration

install

apt-get install libpam-yubico libpam-google-authenticator ntp
service ntp stop
ntpdate -s time.nist.gov
service ntp start

user configuration

login with your user account

Yubico OTP config

add your public identity to the authorized_yubikeys
mkdir ~/.yubico
vi ~/.yubico/authorized_yubikeys

trinitor:vvaabbccddee

Google Authenticator

Download a mobile phone app like the HDE OTP Generator or Google Authenticator
run “google-authenticator” in a shell
complete the steps to create the file ~/.google_authenticator

PAM configuration

replace all auth lines in /etc/pam.d/sshd
sudo vi /etc/pam.d/sshd

# Standard Un*x authentication.
# @include common-auth
# [...]
# Disallow non-root logins when /etc/nologin exists.
account    required     pam_nologin.so
# try YubiKey fist and if it fails try the google authenticator 
auth   [success=1 default=ignore]   pam_yubico.so id=22748 debug
auth            required        pam_google_authenticator.so 
auth            required        pam_unix.so nullok
# [...]

Test 1: YubiKey

Keep the ssh connection open and use new terminal window to test the connection. Don’t lock yourself out.
ssh trinitor@servername

YubiKey for `trinitor': <press YubiKey for 3 seconds (slot 2)>
Password:               <enter user password>

Test 2: Google Authenticator

ssh trinitor@servername

YubiKey for `trinitor': <just press enter (enter invalid key)>
Verification code:      <open OTP app and enter key>
Password:               <enter user password>
Tagged , , , , ,