Adding Yubikey 2 factor authentication to your Red Hat Enterprise Linux estate

A few weeks ago I covered how to integrate the YubiRadius Virtual Appliance into FreeIPA which you can find here, or Microsoft Active Directory which you can find here.

This article is a really quick walk though on how to take your authentication one step further, and add 2 factor authentication into the same process for your Red Hat Enterprise Linux server estate.

The purpose of the Yubikey is to allow you to authenticate your systems with a “One Time Password” or what is commonly referred to as an “OTP”.

In this article, I will be adding Yubikey 2 factor authentication to an existing Red Hat Enterprise Linux 6.3 system which is already using FreeIPA. The process is identical, should you wish to use this for systems authenticating to Microsoft Active Directory as well.

Step 1. Lets start by installing the necessary packages.

Please note, you will need to have access to the EPEL repository. If you are using Fedora, the packages will already be available for you to install.

[root@server ~]# yum install -y pam_yubico


Step 2. Create a file index of the key(s)
For consistency with other “System” based configurations in Red Hat based Linux distributions. I place mine in  /etc/sysconfig

In this file, we need to use the Yubikey ID of each token. The key ID is the first 12 characters of the one time password.

For example, here is a one time password, cccccccfgfhgjneetndbnbujhduuvblrjljrjjtlhueg

If I take the firt 12 characters of the above output, my key ID is  cccccccfgfhg

We need to use this key ID and place it next to each username we wish to allow yubikey authentication with.
For example
username: cccccccfgfhg
dale: ccccccbgbrcr

If you wish to allow multiple keys per user, simply separate them with a : (colon)

For example

username: cccccccfgfhg:ccccccbgbrcr
dale: ccccccbgbrcr

Now, lets create our key file

[root@server ~]# vi /etc/sysconfig/yubikey
username: cccccccfgfhg
dale: ccccccbgbrcr


Step 3. Add the yubico PAM module to your local PAM configuration.
Here you have a few options. I use full system wide authentication which I will configure in /etc/pam.d/system-auth however you have the option of only adding Yubikey authentication to any number of services, should you chose not to add it to your entire system. E.g, you would configure SSH with /etc/pam.d/sshd

Add the below line to /etc/pam.d/system-auth to integrate system wide authentication.

auth        required id=1 authfile=/etc/sysconfig/yubikey

If you have your own internal Yubikey Validation server, you can specify your own server with the “url” option

auth        required id=1 authfile=/etc/sysconfig/yubikey url=

If you do not specify a url, the default configuration is to validate against the Yubico YubiCloud authentication platform.

Here is my system-auth file, if you would like to compare

# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required
auth required id=1 authfile=/etc/sysconfig/yubikey
auth sufficient
auth sufficient nullok try_first_pass
auth requisite uid >= 500 quiet
auth sufficient use_first_pass
auth required

account required
account sufficient
account sufficient uid < 500 quiet
account [default=bad success=ok user_unknown=ignore]
account required

password requisite try_first_pass retry=3 type=
password sufficient sha512 shadow nullok try_first_pass use_authtok
password sufficient use_authtok
password required

session optional revoke
session required
session optional
session [success=1 default=ignore] service in crond quiet use_uid
session required
session optional


Step 4. Test your configuration
If everything is working fine, you should see a new message asking for your Yubikey OTP authentication as well as your password.


[dale@server ~]$ su -l root
Yubikey for `root':
[root@server ~]#

Feel free to contact me or leave comments should you need any assistance.

One comment on “Adding Yubikey 2 factor authentication to your Red Hat Enterprise Linux estate

  1. nayeem April 2, 2014 07:31


    I tried goes through your step by step guide, but unfortunately it does not work for me. while I tired to switch user it asking for yubi key, after putting the right key and password its return password incorrect message.
    [nayeem@localhost ~]$ cat /etc/sysconfig/yubikey
    nayeem: cccccccccccc
    [nayeem@localhost ~]$
    [nayeem@localhost ~]$ su – nayeem
    Yubikey for `nayeem’:
    su: incorrect password
    [nayeem@localhost ~]$

    And didn’t find any incoming login request at /var/log/secure.

    any idea ?

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>