Set up DUO MFA for CentOS 8 with Yubikey 5C
I recently got a Yubikey 5c, and it has been fun and impressive to me. I came up with DUO lately and I tried to set it up with one of my server's authentication, and I thought I'd share with you!
First of all, register a DUO account if you haven't. Second, follow this official guide for setting up a Unix Application, for Unix authentications: https://duo.com/docs/duounix#installation. For AuthenticationMethods, use publickey,password publickey,keyboard-interactive
.
Next, follow this guide to import the Yubikey to your DUO account: https://duo.com/docs/yubikey. It looks complicated but it's easy. A straight-forward description of what will happen to your key:
If you are already using a YubiKey with an existing service, the following steps will overwrite the stored secret for that service. Each YubiKey has two slots. The first slot is used to generate the passcode when the YubiKey button is touched for between 0.3 and 1.5 seconds and released. The second slot is used if the button is touched for between 2 and 5 seconds. When the YubiKey is shipped, its first configuration slot is factory programmed for the YubiCloud OTP service, and its second configuration slot is blank.– https://calnetweb.berkeley.edu/calnet-2-step/enroll-verification-device/other-verification-devices/how-generate-single-yubikey
After that try to connect to the server with ssh -v your_server
. This enables you to see what's actually going on underneath the hood. It should give you the following output:
Please enroll at https://api-xxx.duosecurity.com/portal?code=xxx&akey=xxx
Use this link to enroll a user. You should most likely choose Mobile phone on that page instad of Security key. You can then use their App to confirm the login request. By the way, I tried Touch ID but it doesn't seem to work when I actually try to authenticate – it asks me to provide a passcode while the Touch ID is a fingerprint sensor.
When you're done, go to DUO admin panel > Users > your_user > Hardware Tokens > Add Hardware Token to add your Yubikey. This enables the user you just enrolled to use Yubikey to authenticate as well.
Finally, disconnect and connect again with the above command. It should be:
debug1: Offering public key: /Users/birkhofflee/.ssh/id_ed25519 ED25519 SHA256:xxx agent
debug1: Server accepts key: /Users/birkhofflee/.ssh/id_ed25519 ED25519 SHA256:xxx agent
Authenticated with partial success.
debug1: Authentications that can continue: keyboard-interactive
debug1: Next authentication method: keyboard-interactive
Duo two-factor login for birkhoff
Enter a passcode or select one of the following options:
1. Duo Push to +XX XXX XXXX 1234
2. SMS passcodes to +XX XXX XXXX 1234
Passcode or option (1-2):
Here comes the interesting part: put your finger on the Yubikey's gold contacts. Be advised if you used Configuration Slot 1 in Yubikey Personalization Tool before, touch them for 1 second, instead if you used slot 2, put your fingers on them for 3 to 5 seconds.
Duo two-factor login for birkhoff
Enter a passcode or select one of the following options:
1. Duo Push to +XX XXX XXXX 1234
2. SMS passcodes to +XX XXX XXXX 1234
Passcode or option (1-2): vvkdnkdlrttikruignlhgtrgkgfcvdefjecttrfvjggk
debug1: Authentication succeeded (keyboard-interactive).
Authenticated to xxxx ([xxxx]:xxxx).
You should now be magically logged in to the server.