Contributed by pitrh on from the ssh! key other keys dept.
For a long while now I've been complaining that usernames and passwords aren't enough. With ssh(1) you've also got keys and other variants, however the recent addition of AuthenticationMethods in sshd(8) really is a thing of beauty! What AuthenticationMethods allows you to do is specify a list, or multiple lists of chained authentication methods that must all be successful in order to authenticate the user.
So for instance "publickey,password" would require a successful public key authentication, followed by a successful password authentication. That in itself is very useful and makes ssh authentications much stronger, but when you combine that with something like a yubikey, the strength goes way up! I've had several yubikeys for a long while and you've been able to log into your OpenBSD box with them for a while, so I set out to see how it would look to use it to authenticate ssh in the same fashion.
The setup for the yubikey is fairly straightforward. OpenBSD has the yubikey personalization tools in ports and it should also be noted that you no longer need to reboot your machine between programming your yubikey and using it :).
For this test I used the yubikey-personalization-gui tool and programmed my yubikey. By choosing Yubico OTP, and selecting the Advanced programming option you're prompted to select which slot to put your new profile in. Since I still want to use this yubikey with my other accounts that are tied to the yubikey authentication service I programmed the second slot. The folks at yubikey provide a couple buttons to generate valid modhex Public Identities, Private Identities, and Secret Keys. You can copy the private identity and secret key into /var/db/yubikey/$user.uid and /var/db/yubikey/$user.key respectively, and then write the configuration to your yubikey. Once this is done you can tell your login.conf that you'd like to allow yubikey as a valid authentication method. If you're feeling brave like I was you can put yubikey as the default and leave passwd in as a fallback. Note that yubikey being set as the default authentication method is what allows sshd to be used with your yubikey. You can test your yubikey configuration from the command line using login. You'll need to long press your yubikey for 4 seconds in order to activate the OTP in the second slot. If you've been brave and made yubikey your default auth method and you haven't configured yubikey for root you'll want to take note of the -a flag for su. If you don't have your yubikey present and want to sudo something, the -a flag works there as well.
I won't bore you to death with the setup details of creating SSH keys since it's covered well in the docs. The short summary is to ssh-keygen your key; I like to password protect mine. Copy the PUBLIC key to .ssh/authorized_keys and test that it works.
Now to put it all together. In your sshd_config add a new line with AuthenticationMethods publickey,password. You can also create other auth schemes for users without yubikeys. Now to test! ssh localhost should now display "Authentication with partial success." and be prompting you for a password. A long press on your yubikey will generate a OTP and send it, and voila!
You should be warned that if you use xlock there doesn't appear to be an easy way to fall back to passwd authentication. If you can't find your yubikey you'll need to login with username:passwd in another console and kill xlock. Have fun, and be safe out there! :)
(Comments are closed)