March 24, 2016
I dug a little further after my last post and stumbled upon this excellent blog post. It turns out that using the libpam-oath module for two-factor authentication is a lot easier than the challenge-response module and it works rather fabulously.
I will document the steps I took here. Again, all credit goes to the author of that blog post above - I mainly followed his explanations and links.
What we are going to do # We want to enable two-factor authentication when logging in via ssh.
March 23, 2016
First off: this does not work as I wanted it to work .. it has some interesting implications though.
The idea # I am using a YubiKey NEO for various things. It holds my PGP keys in its secure element and has the YubiKey slots configured to use HMAC-SHA1 challenge response and static password. You can for example unlock your KeePass(X) database using OATH-HOTP or the challenge-response mechanism.
The idea was to use the PAM module in its challenge-response mode for authentication during SSH logins.