Centos/Fedora install yubico-pam for yubikey 2 factor SSH authentication

I recently bought a yubikey to play around with as a two factor authentication method for VPNs.

Easy – The YubiKey is placed in the USB port. The YubiKey is recognized as a USB keyboard so it works on all computers, platforms and browsers with no client software needed (Windows, Linux, Mac, iPad, Firefox, Chrome, etc.).  With a simple touch on the YubiKey, it automatically generates and enters a unique identity and One-Time Password (OTP).

Whilst reading up on them I found that Fedora/Centos already have PAM packages in the repository to enable authentication with yubikeys 🙂

The following was done on a Centos 6 box but it was also tested on a fedora 15 server.

Install the package:

yum install pam_yubico

Create a yubikey group and add a user:

groupadd yubikey
usermod -G yubikey m00nie

Check the user is part of the yubikey group:

root@Centos6:~# groups m00nie
m00nie : m00nie yubikey

Now we need to edit the PAM config to use yubikey auth. Edit the /etc/pam.d/system-auth and add the following lines to the beggining of the file. The first line allows per user use of yubikeys based on the user being part of the yubikey group (If you are on Centos 6.5 this will be the file /etc/pam.d/sshd instead of /etc/pam.d/system-auth Thanks go to Chris below) 🙂

# Check if user is in yubikey group and if not pass to next method
auth [success=1 default=ignore] pam_succeed_if.so quiet user notingroup yubikey
# Check against the mapping file
auth required pam_yubico.so id=16 authfile=/etc/yubi_mappings

Now we need to add the user – yubikey mappings to the file /etc/yubi_mappings so open that with your favourite editor (note a user can have more than one yubikey id assigned to them)

# This file contains mappings of usernames to yubikey ids
# Yubikey ID = OTP - last 32 characters
# Syntax is
# username:yubi id:another id:more ids:.....

To get the yubikey ID (from yubico-pam readme):

Obtaining the Yubikey token ID (a.k.a. public ID)
You can obtain the Yubikey token ID in two places. One is by removing the
last 32 characters of any OTP generated with your Yubikey, the other
is by using the modhex calculator located here :

<a href="http://radius.yubico.com/demo/Modhex_Calculator.php">http://radius.yubico.com/demo/Modhex_Calculator.php</a>

Enter your Yubikey OTP and convert it, your Yubikey token ID is 12 digits and
listed as:

   Modhex encoded: XXXXXXX

Now you should have a functioning two factor ssh config. Test by opening a new connection (keeping the current ssh connection logged in in case of any issues!). The syntax for entering your password is now password[press yubikey].

m00nie 🙂



  • Thanks for this.

    Trying this in 2014 on a CentOS 6.5 box I had to make a slight change insofar as I had to add the pam lines to /etc/pam.d/sshd instead of /etc/pam.d/system-auth

    Hopefully this helps anyone else who find there way here.

  • Hi Chris

    Thanks for the feedback and glad to hear it was of some use to you. I’ve updated the port to reflect your more recent findings 🙂


Leave a Reply