Doubling up on 2FA

I haven’t used passwords to log in to my server for years; I’ve been using key-based authentication. This works pretty well, and I can even use 1Password’s integration as an SSH agent to hold the keys so that wherever I go, the keys are available to me.

As a “learn how to do it”, I’ve also turned on OTP using the module. Works reasonably well, just had to tune the sshd_config file to allow keyboard interactive authentication and to use PAM. I picked up the idea from work, where the threat is that someone has acquired the corp CA-signed certificate for the relevant username; requiring the second factor means an attacker needs more than just the certificate.

The drawback, as such, is that I have to open 1Password to get the 6-digit OTP code every time I want to log in.

The next step in “how to do it” was chaining a Yubikey OTP with a 6-digit OTP, and flagging either one as acceptable. This means if I’ve got a Yubikey plugged in, I can just tap it instead. If I’m somewhere without my Yubikey, I can use 1Password (or Duo, or Authy etcetera) to get the 6-digit OTP.

Turns out it’s trivial enough – install the Yubico PAM module, use their API key request page to get an ID and key, stick one line in my sshd PAM configuration, and add one file in my home directory. It should be noted that this PAM module chats to Yubico to authenticate the OTP request, so outbound network access is needed. I don’t think I’d do this setup with just public key + Yubikey, because their API service could break.

Both the and modules are tagged as sufficient for PAM authentication; success is immediate return, failure is “move to next option”. Works quite nicely.

# sshd_config

UsePAM yes

AuthenticationMethods publickey,keyboard-interactive
# pam.d/sshd

# @include common-auth
auth sufficient id=nnnnn ikey=hm4F....../.....=
auth sufficient

# Disallow non-root logins when /etc/nologin exists.
account    required
# ~/.google_authenticator

" RATE_LIMIT 3 30 1668583336
# ~/.yubico/authorized_yubikeys