Guide for setting up yubikey OTP ssh access with CentOS 7


Today I will show you how to use the yubikey and set up authentication on CentOS 7 from scratch.
I have bought a yubikey 2 standard and will configure it to be used as OTP device when logging on via SSH. This is very cheap solution which offers a high level of security for home users.

The system I am using has just been installed and it is standard CentOS 7 with just default selections when installing. System is also updated and current to this day.

Let’s start!

Begin by installing some packages

Clone the yubico-c library and install it.

If you get the error messsage

You need to install asciidoc

Clone the yubikey-personalization library and install it

Clone the yubico-c-client and install it

Clone the yubico-pam module and install it

Fix the symlink for the pam module

NOTE! Before you continue, this is where you can lock yourself out and create a box that is not accessible. You should be logged on with root on another terminal so that you can revert back if it does not work. Console access will still work, so if you use KVM or something similar, you should be able to access it through that.

Start by making sure your yubikey is configured as shown in this guide:
YubiKey YubiCloud Configuration

You should also make sure that the OTP function is working by going here after you have configured it:

Your server will need to be able to contact the yubikey API service to validate the auth, so make sure you have internet connection to the box as well.
When it is working, move on!

Change SELinux to run in permissive mode. People have been reporting issues with SELinux and yubikey so I recommend that you put it in permissive mode. If you don’t want to spend a couple of hours troubleshooting.

Edit the file /etc/sysconfig/selinux and set the parameter SELINUX to permissive as shown below.

This will run at boot next time and change it to permissive. Now run the command to change mode to permissive in this session

Get the status. You can see the row “Current mode”, should say “permissive”

Create a user, I have picked the name ‘test’. Make sure you change the password as well.

Edit the file /etc/pam.d/sshd

Make sure it contains the row:

as seen below in the file:

Crete the authfile mentioned above.

Add your user and yubikey id separated with ‘:’. This is how my /etc/yubipasswd file looks like:

Open a new terminal and login as test

ssh test@your-yubikey-configured-system

When you are promted for the password, write your password and press your yubikey so that it becomes one long string. Imagine:

[root@localhost test]# ssh test@localhost
test@localhost’s password: password + yubikey OTP token

The yubikey will press enter by default and this should log you on! Voila!

Other information
If you have multiple configurations on your yubikey, i.e Configuration Slot 1 and Slot 2 you may have used the wrong Slot. Slot 1 is pressed for 1 second and the other is above 2 seconds. (Or something like that). I use Configuration Slot 1 because then you dont have to press it for a longer period of time.

If you have installed a default CentOS 7 you probably do not need to change other SSH configuration files such as /etc/ssh/sshd_config

And /etc/pam.d/system-auth by adding “try_first_pass” to the row

You can also try installing the packages via epel repo. Packages are called:

The pam library I think you will have to install manually as previously shown.

Links related to this guide

Good luck!

Leave a Reply

Your email address will not be published. Required fields are marked *