How to install and configure the yubikey-pam module on archlinux

Published on July 09, 2013

Not so long ago I've been gifted with a Yubikey. It's a two-auth hardware solution with multiple auth methods (OTP, Challenge-response, OATH-HOTP and static password). It easily scaled to one of my favourite and most useful gadgets.

I've been a google authenticator user for a while, but the yubikey is just much easier to work with: when configured, you only need to tap a button on the usb stick to generate your key. You can use this in many ways, but in this post I'm focusing on ssh authentication and how to install the yubico-pam module into an Arch installation.

Installing the required packages

Thanks to the awesome arch community we already have the needed packages on the AUR, these are: yubico-pam- git, yubico-c-client- git, yubikey- personalization-git and libyubikey. Keep in mind that you may need to install more packages depending on your system installation.

You can install that with your favourite AUR helper or using makepkg:

$ curl -O https://aur.archlinux.org/packages/li/libyubikey/libyubikey.tar.gz
$ tar xvzf libyubikey.tar.gz
$ cd libyubikey
$ makepkg PKGBUILD
# ...
$ sudo pacman -U libyubikey-1.10-2-x86_64.pkg.tar.xz

Repeat that step for all the packages, in order: libyubikey, yubico-c- client, yubikey-personalization and yubico-pam. If you have trouble installing from the AUR refer to the appropiate wiki page.

Configure the PAM module

Edit /etc/pam.d/sshd and add on top on the rest of the auth modules:

auth sufficient pam_yubico.so id=XXXX key=XXXX

You can obtain an ID/key conbination by registering your yubikey at this page.

Authorization methods

Individual authorization mapping

If your server have multiple users this is the easiest method to let them configure their yubikeys. You just need to create the file $HOME/.yubico/authorized_yubikeys with the following contents:

<username>:<Yubikey token ID 1>[:<Yubikey token ID 2][:...]

The yubikey token identifier can be obtained by removing the last 32 characters of any OTP value, and you can add more than one ID to the file.

Restart your ssh server to apply the changes.

Central authorization mapping

Create a file on /etc/yubikey_mappings that will contain all your users and their respective yubikey token identifiers, like this:

<first username>:<Yubikey token ID 1>[:<Yubikey token ID 2][:...]
<second username>:<Yubikey token ID 3>[:<Yubikey token ID 4][:...]

For this to work, you need to specify this file to the pam module authfile parameter:

auth sufficient pam_yubico.so id=XXXX key=XXXX authfile=/etc/yubikey_mappings

After that estart your ssh server to apply the changes.

Logging in

The next time you're asked for a password on you ssh login you can use a yubikey OTP instead of your current password -if you have any-.

This method works pretty well with authorized ssh keys as well, since you will log-in automatically from a computer with a configured ssh key but an OTP -or password- will be required for logging in from anywhere else.

Yubico-pam module | Github Yubico | Home page

If you want to approach me directly about this post use the most appropriate channel from the about page.