Configuring OpenSSH (sshd) for 2FA authentication

Enable strong 2FA authentication by updating the /etc/ssh/sshd_config with the following changes:

# Require public key *and* password authentication. Without this, a valid public
# key would bypass the Yubikey requirement.
AuthenticationMethods publickey,password

# Enable the password authentication backend.
PasswordAuthentication yes

# Disable the keyboard-interactive mode which could be used to ask for the
# password.
ChallengeResponseAuthentication no

# Enable PAM integration for authentication as this is the system that Yubikey
# integrates with.
UsePAM yes

If you want to login with the root user via ssh, add or update the PermitRootLogin under the same file, replace prohibit-password by yes:

# Enable root login via ssh.
PermitRootLogin yes

Restart ssh. Note that if you're already inside an ssh session, you won't be disconnected.

❯ service ssh restart

results matching ""

    No results matching ""