Today I wanted to setup ssh yubikey authentication for a CentOS 7 box, and I've lost more time that expected.

Since I've found a lot of wrong documentation I'm posting below the correct procedure to setup yubikey authentication for CentOS/RHEL 7:

  1. Install the pam_yubico package: yum install -y pam_yubico
  2. Get an API key from yubico at https://upgrade.yubico.com/getapikey
  3. Edit /etc/pam.d/password-auth and add the following line (change API_KEY to the key obtained before):

    auth required pam_yubico.so id=API_KEY authfile=/etc/yubikey_mappings
    
  4. Setup the user-key map in /etc/yubikey_mappings, as:

    username:YUBIKEY1_ID[:YUBIKEY2_ID]*
    

    You can assign multiple keys to the same user, as shown above.

    To obtain a yubikey id, just plug the device, click on the button an get the first 12 characters. If you are too lazy to count you can have your machine do the job: type cut -c1-12, then press the yubikey button, and CTRL-D.

  5. Set the yubikey sebool so yubikey can reach api.yubico.com:

    setsebool -P authlogin_yubikey on
    
  6. If your outbound connections are firewalled, be sure that your box can connect to api*.yubico.com:443

Now you can login into you box just typing your unix password followed by the yubikey code, so when asked for you unix password just type it and then press the yubikey button.

If you want to enable yubikey also for sudo operations, apply the 3rd point to the /etc/pam.d/system-auth file as well.