Skip to Content

How to configure Yubikey two factor authentication in ssh ?

How to enable/disable Yubikey 2FA (Two-factor Authentication) in Ezeelogin?

Overview: This article provides a comprehensive guide on configuring and managing Yubikey two-factor authentication (2FA) for SSH jump host.

Do refer to the YouTube video to Configure Yubikey two-factor authentication in ssh jump host.

Step 1: Enable Yubikey 2FA in the Ezeelogin Web Interface with an admin privileged User.

  • Login into Ezeelogin web GUI as an Admin user.
  • Navigate to Settings -> General -> Two FactorAuthentication.
  • Enable Yubikey by clicking on "Get Yubico API Key" to obtain the Client and Secret for Yubikey.

Step 2: Set Up Yubikey for User Authentication

  • Navigate to Account > Password > New Yubikey and follow the prompts to complete the setup for each user.

Step 3: Usage in Web Interface

  • Log in to the Ezeelogin web interface using the Yubikey 2FA method.
  • The last successful 2FA method used in the web interface will automatically be applied to the backend SSH or ezsh shell.

ssh to jump host

Step to Disable Yubikey 2FA from the GUI.

  • Navigate to Settings > General > Two-factor Authentication and disable Yubikey.

Emergency CLI Method:

  • How to disable Yubikey 2FA (Two-factor Authentication) from the backend?

Run the below commands to disable and clear Google authenticator. Replace the username to disable Yubikey for that user.

root@gateway ~]# php /usr/local/ezlogin/ez_queryrunner.php "update prefix_settings set value='N' where(name='enable_yubikey')"

root@gateway ~]# php /usr/local/ezlogin/ez_queryrunner.php "update prefix_users set eyk=NULL where username='ezadmin'"

No Two-factor Authentication enabled

This error happens when we enforce Two-Factor authentication without enabling any of the Two-Factor authentications. Run the following command to disable Force Two Factor Authentication.

root@gateway ~]# php /usr/local/ezlogin/ez_queryrunner.php "update prefix_settings SET value = 0 WHERE name = 'two_factor_auth'"

root@gateway ~]# php /usr/local/ezlogin/ez_queryrunner.php  "update prefix_usergroups SET force_tfa = 'N'"

  • Yubikey outbound URL's to be whitelisted
  • Following are the Yubikey outbound URLs to be whitelisted in the firewall.

1. ''
2. ''
3. ''
4. ''
5. ''

Related Articles:

Disable all 2fa from the backend.

Enforce 2fa on user login.

Reset 2fa on Ezeelogin user.