(If you don’t know what a yubikey is, have a look here)
So I wrote up ebuilds for yubico-pam and its dependency yubico-c-client. You can get them here.
Just extract the tarball into your portage overlay and emerge pam_yubico. If you don’t have an overlay, then just do this (as root):
mkdir /usr/local/portage/
echo 'PORTDIR_OVERLAY="/usr/local/portage/"' >> /etc/make.conf
tar xvzf pam_yubico-ebuildstar.gz -C /usr/local/portage/
emerge pam_yubico
For myself I configured sshd to be able to login using either my yubikey or a normal password. I will describe how to do that – if you need some other configuration have a look at the PAM module’s site (mentioned above).
- You will need to get your yubico client id. The only way I know of to do this is through the YMS.
- Configure PAM to make ssh use the newly installed module. This by prepending
auth sufficient pam_yubico.so id=16 try_first_pass
to/etc/pam.d/sshd
. Be sure to change 16 to the ID you aquired in step 1. - Add your yubikey id to the file pam_yubico looks in, namely
~/.yubico/authorized_yubikeys
. Create the file with and add the lineuser:yubikey_id
. The yubikey id is the first 12 characters from the OTPs it generates.
And that’s it. You should now be able to log in over SSH using either your regular password or your yubikey.