OpenSSH + YubiKey HMAC-SHA1 challenge-response

by Anton Semjonov

Table of Contents

_First off: this does not work as I wanted it to work .. it has some interesting implications though._

The idea

I am using a YubiKey NEO for various things. It holds my PGP keys in its secure element and has the YubiKey slots configured to use HMAC-SHA1 challenge response and static password. You can for example unlock your KeePass(X) database using OATH-HOTP or the challenge-response mechanism.

The idea was to use the PAM module in its challenge-response mode for authentication during SSH logins. This is certainly possible for Yubico OTP mode, as described in the above link to the PAM module, but it does not appear to be possible using challenge-response mode without patches to OpenSSH. It would enable me to login from unknown computers, where I have no ssh keys, based on something ‘I know’ (the users password) and something ‘I have’ (the YubiKey). I’d say this would be an adequately secure alternative to pubkey authentication.

Actual setup

The reason why it doesn’t work is that the module tries to find the Yubikey locally, i.e. on the server you are connecting to. There appears to be a patch for OpenSSH which enables similar functionality for U2F. I would like to stick to the official Debian packages though.

So, in fact I did get it to work only when inserting the YubiKey into the machine you are SSH’ing into:

bottom line

As written above, this only works when the YubiKey is inserted into a USB slot on my NAS which I am connecting to. I have to press the button on the YubiKey once I start connecting and then enter my password in the terminal afterwards.

It is not what I intended to do but I believe it is an interesting fallback method, when enabled in logical OR with publickey auth. The fact that it requires a YubiKey makes it vastly more secure than a password alone, so you don’t leave your Server ‘open’ to attacks.

I might look into possibilities with OATH-HOTP with sshd in the future … I refuse to use the Yubico OTP functionality for this, as it either required authentication by the Yubico Servers or installation of an additional local server. Also I lose the possibility to unlock my KeePassX databse then. :)