Is remote ssh possible?

[Frank-Steiner]

Hi, I'm a little confused after reading through several pages about pam_u2f, so let me ask:
I can use remote ssh with yubikey by using a line like
auth sufficient pam_yubico.so id=16 debug authfile=/etc/yk
in /etc/pam.d/ssh and will get a prompt for using the Yubikey on my local machine to login into the remote one.

So I tried the same with pam_u2f because I would like to enforce the PIN additionally to touching the key. I setup a key with pamu2fcfg etc. and tried this in /etc/pam.d/ssh:
auth sufficient pam_u2f.so authfile=/etc/u2f_keys cue pinverification=1

But it seems to work only for "ssh localhost", i.e. when the key is plugged-in into the machine I want to ssh into. For a remote ssh server no yubikey prompt appears (neither for the PIN nor for touching the device).

So is authentification to a remote ssh server supposed to work or is pam_u2f not able to do this?
cu,
Frank

[LDVG]

Hi,

pam-u2f is designed for local authentication. OpenSSH supports security keys though:

• man 1 ssh-keygen and the FIDO AUTHENTICATOR section; and
• man 8 sshd and the AUTHORIZED_KEYS FILE FORMAT section (among others); and
• man 5 sshd_config, etc.

We also have a resource at https://developers.yubico.com/SSH/Securing_SSH_with_FIDO2.html.

[Frank-Steiner]

Ludvig Michaelsson wrote:

pam-u2f is designed for local authentication.

Ok, thanks a lot for clarifying!

OpenSSH supports security keys though: * |man 1 ssh-keygen| and the |FIDO AUTHENTICATOR| section; and * |man 8 sshd| and the |AUTHORIZED_KEYS FILE FORMAT| section (among others); and * |man 5 sshd_config|, etc. We also have a resource at https://developers.yubico.com/SSH/Securing_SSH_with_FIDO2.html

Yes, I'm aware of that, thanks for this howto! I will likely go this way as it allows to easily chose how much authentification one wants. cu, Frank

…

-- Dipl.-Inform. Frank Steiner Web: http://www.bio.ifi.lmu.de/~steiner/ Lehrstuhl f. Bioinformatik Mail: http://www.bio.ifi.lmu.de/~steiner/m/ LMU, Amalienstr. 17 Phone: +49 89 2180-4049 80333 Muenchen, Germany Fax: +49 89 2180-99-4049 * Rekursion kann man erst verstehen, wenn man Rekursion verstanden hat. *