One-Time-Passwords for SSH Authentication with Yubikey

This time on the show, using One-Time-Passwords in Linux for SSH authentication. We cover the theory and set up our server with a Yubikey. Plus relaying without GatewayPorts, easily edit Known_Hosts, Free SSHFS in Windows and a ton more!

First and foremost, mad props to Matt Levavi who scoured forums and mailing lists to compile a simple how to. Here's the jist of setting up SSHD in Ubuntu to use authentication with a Yubikey.

mkdir ~/.yubico
sudo aptitude install autoconf libtool libusb-1.0-0-dev libcurl4-openssl-dev libpam-dev
# Download Yubico-pam, Yubico-c-client, Libyubikey and Yubikey-personalization sudo autoreconf --install; ./configure; make; make install
# in each directory with Yubico-pam being last
# Get an API key and passwd from https://upgrade.yubico.com/getapikey/ sudo vi /etc/pam.d/sshd # Find PAM configuration and add: auth required pam_yubico.so id= key= debug sudo vi /etc/pam.d/common-auth
# add "debug try_first_pass" to end of auth string sudo vi /etc/ssh/sshd_config
# ensure PasswordAuthention yes and ChallengeResponseAuthentication no sudo mv /usr/local/lib/security/pam_yubico.so /lib/security sudo vi ~/yubico/authorized_yubikeys
# syntax: user: sudo touch /var/run/pam-debug.log chmod go+w /var/run/pam-debug.log sudo service ssh restart