Two-factor SSH with YubiKey on CentOS 5.6

YubikeyI believe the Passwords are the biggest security problem facing public computing and YubiKey is the answer. A password is often the only thing between your stuff and the people who want to steal your stuff.  Passwords fall victim to all sorts attacks. This little device acts like a USB keyboard. Each time you press the button it generates a thirty two charter one-time-password (OTP) password.

There are all kinds of instructions for installing a Yubikey.  Most are very confusing or miss a step. I hope this makes it simple for you.   All you really need these days are the rpms from the epel repository.  Note the release /5/ and system type /i386/.  I you have a different system you will need to get the right epel code.  For example, the file for Redhat 6 x64 is

rpm -i epel-release-5-4.noarch.rpm
yum install libyubikey
yum install pam_yubico
vi /etc/pam.d/sshd
auth       required id=#### debug authfile=/etc/sysconfig/yubikey
auth       include      system-auth
account    required
account    include      system-auth
password   include      system-auth
session    optional force revoke
session    include      system-auth
session    required

For more information on settings, see the project Wiki page.

Here are the parameters we are using.

  "id":         to indicate your client identity.

  "key":        to indicate your client key in base64 format.

  "debug":      to enable debug output to stdout or
                /var/run/pam-debug.log if it exists.

  "authfile":   to indicate the location of the file that holds the
                mappings of yubikey token IDs to user names.

Create a /etc/sysconfig/yubikey This file must contain a user name and the yubikey token ID separated by colons (same format as the passwd file) for each user you want to allow onto the system using a yubikey.

The mappings should look like this, one per line:


Individual, by user

Each user creates a ~/.yubico/authorized_yubikeys file inside of their home directory and places the mapping in that file, the file must have only one line:


To debug the process you can create a log file.  Don’t forget to remove this and the debug word from /etc/pam.d/sshd when you are done.

touch /var/run/pam-debug.log
chmod go+w /var/run/pam-debug.log

Now you can tail the log file and try logging in.

tail -f /var/run/pam-debug.log &
ssh -l root localhost

Try logging in with a password only and the yubikey only.  Then try password+yubikey.

Please email me if you have any troubles.

This entry was posted in Examples. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *