This is especially tricky because at first it might work, but if the time gets async over time, it stops working and you have a problem. If your server time gets out of sync, you are locking yourself out. OTPs with Yubikey and Google Authenticator are time-based. Its very important that you don’t forget ntp. # apt-get install libpam-yubico libpam-google-authenticator ntp If something doesn’t work, you are locked out without an active session. If you don’t want to setup your own Yubico Authentication Server, you need to get your key here: Yubico API Key signupįirst, and this is very important: Login via SSH and don’t close that connection before you verified that everything is running. I assume that you have already activated public key login, if you didn’t: do it! So this howto describes how to activate Yubikey as 2FA for ssh on Debian or Ubuntu (works probably in a similar way on every other distro, but not tested) with Google authenticator as backup method.
Because if you lose or break your Yubikey, you are locked out. One Problem is that, if you don’t want to buy 2 (or more) of them, you need a backup solution.
Yubikeys are a great way to secure your ssh accounts with 2FA.
0 kommentar(er)
