2 minute read

I have recently got a Yubikey. A yubikey is a security token. A yubikey is a security token. There are two variations. One is a simple U2F (universal second factor) only key which allows you to secure sites like Google and github. The other is more flexible and allows you to use it in a configurable way. By default the first slot is used with a OTP for services like Google. I decided to use the second slot to create a One Time Password (or OTP) using the Yubicloud validation service which is free. This can be used to secure your own services. In this example I show how to setup 2FA on SSH in Ubuntu and showing how it can work with Digital Ocean.

Before you begin you will need:

  1. One yubikey (you can get these from Amazon)
  2. A programmed Yubikey with api key- watch an official video below
  3. Two SSH sessions with root privileges (I kept two open in case one went wrong!)

If you want to know how to programme the Yubikey this official demo will get you started:


Programming the YubiKey with a YubiOTP Credential from Yubico on Vimeo.

Now you are all setup follow the guide below:

In one of the terminals type the following commands:

apt-get update && apt-get install libpam-yubico

Edit the sshd pam file by typing the following:

nano /etc/pam.d/sshd
Add the following line at the very top of the file:

auth required pam_yubico.so id=XXXXX key=XXXXX authfile=/etc/yubikeys

Ensure you enter the ID and Key for Yubicloud account. If you don’t have these you can get them from here: https://upgrade.yubico.com/getapikey/

Create a new file you will need to enter the users who have Yubico. When using SSH all users will expected to have SSH. If you don’t want this you will need to use match directives which are beyond the scope of this guide.

nano /etc/yubikeys
Enter the users in the format of username:yubikeyid for example:


The Yubikey id is not clear from the website however the id is in fact achieved by placing a OTP code in a text file and taking the first 12 characters.

Next we need to configure SSH

nano /etc/ssh/sshd_config
Find ChallengeResponse inside the file and set it to yes

If not set to no already you can also disable publickey and Password Authentication. It may sound strange when you enter your yubikey token and account password to login but it does work.

If all is good restart the ssh service

service ssh restart

You can test it on the server by using localhost if easier: ssh tom@localhost

What about file transfers?

You can either setup filezilla and use challenge response (they call it by an alternative name of interactive authentication) or you can setup ProFTPD to be a traditional FTP server or for more security use it in SFTP mode on a different port. This also jails users to their home directory.


Leave a comment