SSH and sudo with Yubikey

[DennisMidjord]

Hi.

Recently, we've configured our servers to require SSH keys and Yubikeys during SSH and password and Yubikey when using sudo. I'm looking for some feedback and experience with this kind of setup.

We did it like this:

1. Install pam_yubico from epel-release
2. Configured /etc/pam.d/sshd` to include the following:
   

   auth required pam_yubico.so id=API_ID authfile=/etc/yubikeys

   and removed the following:
   

   auth substack password-auth

3. Configured $user:$key-id in /etc/yubikeys
4. Made the following changes in /etc/ssh/sshd_config and restarted the service:
   

   ChallengeResponseAuthentication yes
   Match User <username1>,<username2>,<...>
           AuthenticationMethods publickey,keyboard-interactive

5. Included the following in /etc/pam.d/sudo:
   

   auth required pam_yubico.so id=API_ID authfile=/etc/yubikeys

Root login via SSH is already disabled so everything we do is done from individual wheel users.
Password authentication via SSH is also disabled.

Some clients has access to SSH but none of them with sudo access, of course.

Is there any possible problems with this setup?

I can think of one small issue: Granting cPanel support access to the servers.
They will need to login as a wheel user and use sudo - but won't be able to because there's no Yubikey configured.

Any feedback is much appreciated!

 

[cPRex]

Hey hey! That would be an issue for our support team. I'm wondering if the best option would be to temporarily disable that extra security restriction in the event you need to submit a ticket to us. Hopefully you don't need tickets too frequently as I hope things work well, but since that is required in the PAM configuration, I don't see another way around it.

 

[DennisMidjord]

Thanks for your reply, @cPRex!

That was my tought as well. The only issue is remembering to enable it again once the ticket has been solved lol.

 

[cPRex]

That *is* the trick, and it's the one part I can't help with, unfortunately.