Yubico provides hardware authentication devices that can be used in one or two-factor authentication flows. Generating a unique password and validated by Yubico's free cloud service, Yubico authentication provides a great way to secure your SSH Gateway server.
Before proceeding with these instructions, ensure that you have the latest Yubico extension installed on your server. If you do not see a Yubico option in the list of authentication modules on the Authentication page then navigate to Extensions->Extensions, locate the Yubico Authentication extension in the list of Available extensions and install. Then restart your server.
Step 1 - Configure Yubico
The first step is to configure the Yubico Authenticator with a Client ID and Secret Key obtained from Yubico. Navigate to Authentication->Settings and select the Yubico tab.
Either enter your existing Client ID and Secret Key, or click the link in the Client ID information text to register for a new set of keys with Yubico.
Step 2 - Allocate Yubikey
Before we activate the Yubico authentication method. We must first allocate at least one Yubikey to an Administrator.
Navigate to Access Control->Users and click the gear icon beside the user you want to allocate the key to. Select Allocate Yubikey.
In the dialog prompt provide a name for the key and then click into the Yubikey field, and hold your finger on the plugged in Yubikey for a second, then release. A long password should populate the Yubikey field.
That's your authentication configured. There is only one thing left to do
Step 3 - Activate Yubico Authentication
Navigate to Authentication->Schemes and configure the flow that you want to include the Yubico method on. Depending on what product you are using, there will be a number of options.
For this example will modify the SSH flow. This is the scheme used whenever a user connects to the Gateway via SSH to manage or run commands on your nodes.
Once you have selected the correct flow tab you can edit the methods available by deleting them with the icon or adding them in to the flow with the icon
In the example below Yubico is acting as a single factor authentication.
Step 4 - Logging in
Now you have configured the system and activated the Yubico authentication method you will now be able to login using your Yubikey on the configured flow.
Launch an SSH client such as PuTTY and attempt to connect with your username.
You should be prompted for your Yubikey instead of password. Press the yubikey button and you should be logged in.
In this article we have demonstrated how to configure, activate and use Yubico's Yubikey hardware to authenticate and access your SSH Gateway via SSH.