Today I wanted to setup ssh yubikey authentication for a CentOS 7 box, and I've lost more time that expected.
Since I've found a lot of wrong documentation I'm posting below the correct procedure to setup yubikey authentication for CentOS/RHEL 7:
- Install the pam_yubico package:
yum install -y pam_yubico
- Get an API key from yubico at https://upgrade.yubico.com/getapikey
/etc/pam.d/password-authand add the following line (change API_KEY to the key obtained before):
auth required pam_yubico.so id=API_KEY authfile=/etc/yubikey_mappings
Setup the user-key map in
You can assign multiple keys to the same user, as shown above.
To obtain a yubikey id, just plug the device, click on the button an get the first 12 characters. If you are too lazy to count you can have your machine do the job: type
cut -c1-12, then press the yubikey button, and
Set the yubikey sebool so yubikey can reach api.yubico.com:
setsebool -P authlogin_yubikey on
If your outbound connections are firewalled, be sure that your box can connect to
Now you can login into you box just typing your unix password followed by the yubikey code, so when asked for you unix password just type it and then press the yubikey button.
If you want to enable yubikey also for sudo operations, apply the 3rd point to the
/etc/pam.d/system-auth file as well.