Skip to Content

How to configure Yubikey two factor authentication in ssh ?

  • How to enable/disable Yubikey 2FA (Two-factor Authentication) in Ezeelogin?

Do check out the video to Configure Yubikey two-factor authentication in ssh jump host 

1. Navigate to  Settings -> General -> Two FactorAuthentication -> Enable Yubikey. Click on the Get Yubico API Key to get the Client and Secret of Yubikey.

2. Navigate to Account -> Password -> New YubiKey to complete the setup.

3. Once this has been done, login into the web interface using the Yubikey 2FA method and then the backend 2FA in ssh would automatically use the Yubikey 2FA. Basically, the last successful 2FA method used in the web interface/web-GUI would be used in the backend ssh shell/ or ezsh shell.

ssh to jump host

Yubikey in ssh


  • How to disable Yubikey 2FA (Two-factor Authentication) from the backend?

Run the below commands to disable and clear google authenticator. Replace username to disable yubikey for that user.

root@gateway ~]# php /usr/local/ezlogin/ez_queryrunner.php "update prefix_settings set value='N' where(name='enable_yubikey')"

root@gateway ~]# php /usr/local/ezlogin/ez_queryrunner.php "update prefix_users set eyk=NULL where username='ezadmin'"

No Two-factor Authentication enabled

This error happens when we enforce Two-Factor authentication without enabling any of the Two-Factor authentications. Run the following command to disable Force Two Factor Authentication.

root@gateway ~]# php /usr/local/ezlogin/ez_queryrunner.php "update prefix_settings SET value = 0 WHERE name = 'two_factor_auth'"

root@gateway ~]# php /usr/local/ezlogin/ez_queryrunner.php  "update prefix_usergroups SET force_tfa = 'N'"


  • How to disable Yubikey 2FA (Two-factor Authentication) from the GUI?

 

Yubikey outbound URL's to be whitelisted

Following are the Yubikey outbound urls to be whitelisted in firewall

'https://api.yubico.com/wsapi/2.0/verify'
'https://api2.yubico.com/wsapi/2.0/verify'
'https://api3.yubico.com/wsapi/2.0/verify'
'https://api4.yubico.com/wsapi/2.0/verify'
'https://api5.yubico.com/wsapi/2.0/verify'

Yubikey library requires access to the above URLs. Also, do check out the article for the list of YubiKey API servers that the YubiKey client would utilize https://developers.yubico.com/yubikey-val/Getting_Started_Writing_Clients.html