Skip to Content

How to configure Yubikey two factor authentication in ssh ?

75  admin November 22, 2024  Features & Functionalities, Tweaks & Configuration

How to enable/disable Yubikey 2FA (Two-factor Authentication) in Ezeelogin?

Overview: This article provides a comprehensive guide on configuring and managing Yubikey two-factor authentication (2FA) for SSH jump host.

Refer to the YouTube video to Configure Yubikey’s two-factor authentication in ssh jump host.

1. How to enable Yubikey?

Step 1(A): Log in to the Ezeelogin GUI as an admin privileged user, navigate to Settings -> General -> Two Factor Authentication, and enable Yubikey.

Step 1(B): Click on "Get Yubico API Key" to obtain the Yubico Client ID and secret key.

Step 1(C): To set up Yubikey for user authentication, navigate to Account -> Password -> New Yubikey and click on save after providing the authorization password(password of the currently logged in user).

Step 1(D): Log in to the Ezeelogin GUI using the Yubikey 2FA method.

Step 1(E): The backend 2fa method will also be now using Yubikey.

ssh to jump host

2. Disable Yubikey 2FA from the GUI.

Step 2(A): To disable Yubikey from Ezeelogin GUI, navigate to Settings -> General -> Two-factor Authentication and disable Yubikey.

Emergency CLI Method:

1. How do we disable Yubikey 2FA (Two-factor Authentication) from the backend?

Run the below commands to disable and clear Google authenticator. Replace the username to disable Yubikey for that user.

root@gateway:~# php /usr/local/ezlogin/ez_queryrunner.php "update prefix_settings set value=’N’ where(name=’enable_yubikey’)"

root@gateway:~# php /usr/local/ezlogin/ez_queryrunner.php "update prefix_users set eyk=NULL where username=’ezadmin’"

No Two-factor Authentication enabled

2. This error happens when we enforce Two-Factor authentication without enabling any of the Two-Factor authentications. Run the following command to disable Force Two Factor Authentication.

root@gateway:~# php /usr/local/ezlogin/ez_queryrunner.php "update prefix_settings SET value = 0 WHERE name = ’two_factor_auth’"

root@gateway:~# php /usr/local/ezlogin/ez_queryrunner.php  "update prefix_usergroups SET force_tfa = ’N’"

Yubikey outbound URLs to be whitelisted:

Following are the Yubikey outbound URLs to be whitelisted in the firewall.

1. ’https://api.yubico.com/wsapi/2.0/verify
2. ’https://api2.yubico.com/wsapi/2.0/verify
3. ’https://api3.yubico.com/wsapi/2.0/verify
4. ’https://api4.yubico.com/wsapi/2.0/verify
5. ’https://api5.yubico.com/wsapi/2.0/verify

Yubikey Library requires access to the above URLs. Also, do check out the article for the list of YubiKey API servers that the YubiKey client would utilize https://developers.yubico.com/yubikey-val/Getting_Started_Writing_Clients.html

Related Articles:

Disable all 2fa from the backend.

Enforce 2fa on user login.

Reset 2fa on Ezeelogin user.
Rating: 3.67 (3 Votes)