SSH and sudo with Yubikey

Operating System & Version
CloudLinux 7
cPanel & WHM Version
102.0.2

DennisMidjord

Well-Known Member
Sep 27, 2016
335
71
78
Denmark
cPanel Access Level
Root Administrator
Hi.

Recently, we've configured our servers to require SSH keys and Yubikeys during SSH and password and Yubikey when using sudo. I'm looking for some feedback and experience with this kind of setup.

We did it like this:
  1. Install pam_yubico from epel-release
  2. Configured /etc/pam.d/sshd` to include the following:
    Code:
    auth required pam_yubico.so id=API_ID authfile=/etc/yubikeys
    and removed the following:
    Code:
    auth substack password-auth
  3. Configured $user:$key-id in /etc/yubikeys
  4. Made the following changes in /etc/ssh/sshd_config and restarted the service:
    Code:
    ChallengeResponseAuthentication yes
    Match User <username1>,<username2>,<...>
            AuthenticationMethods publickey,keyboard-interactive
  5. Included the following in /etc/pam.d/sudo:
    Code:
    auth required pam_yubico.so id=API_ID authfile=/etc/yubikeys
Root login via SSH is already disabled so everything we do is done from individual wheel users.
Password authentication via SSH is also disabled.

Some clients has access to SSH but none of them with sudo access, of course.

Is there any possible problems with this setup?

I can think of one small issue: Granting cPanel support access to the servers.
They will need to login as a wheel user and use sudo - but won't be able to because there's no Yubikey configured.

Any feedback is much appreciated!
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
13,422
2,108
363
cPanel Access Level
Root Administrator
Hey hey! That would be an issue for our support team. I'm wondering if the best option would be to temporarily disable that extra security restriction in the event you need to submit a ticket to us. Hopefully you don't need tickets too frequently as I hope things work well, but since that is required in the PAM configuration, I don't see another way around it.