Termius for Android supports Yubikey authentication, if you set it up together with Google Authenticator on your host as the 2nd factor of authentication.
sudo apt install libpam-google-authenticator
2. Run to create a new secret key
3. Answer yes to “Do you want authentication tokens to be time-based?”.
As the result, you will see a QR-code that we will scan using the Yubico mobile app to add this key to Yubikey. Don’t close the terminal yet.
1. Install (from Google Play) and run Yubico Authenticator. You will see the Yubico Authenticator screen.
2. Choose SCAN QR-CODE on the bottom. Scan the QR-code generated in the step 1.
After that, you will see the screen with the key parameters.
4. Tap SAVE. The app will ask to tap or insert your Yubikey to the device NFC module.
5. Get your YubiKey closer to the NFC module and wait for data to transfer (1-2 sec). After vibrating a few times you will se the list of saved keys.
Now the physical key YubiKey contains the data to auth to the host, but the host setup still needs to be complete.
This step involves returning to the terminal to configure the SSH daemon and enable 2FA authentication.
1. Open sshd config file
sudo nano /etc/ssh/sshd_config
2. Make sure the following parameters are set up to yes:
3. Save the file and restart the SSH daemon:
sudo systemctl restart ssh
4. Now, to configure the pam module open:
sudo nano /etc/pam.d/sshd
5. And at the end of the file add this line:
auth required pam_google_authenticator.so
6. Save the configuration and close.
Now when connecting to this host with SSH after the password prompt, the terminal will require entering a one-time code from Yubikey.
The process of connecting to a host using Yubikey is not much different from a regular SSH connection. At the time of connection, Termius simply asks you to enter the authorization code or use your Yubikey:
Get your Yubikey closer to the NFC module and the process of authorization will continue automatically.
And after a successful connection, you'll see the terminal screen:
You can use the Google Authenticator app instead of a physical Yubikey. The app settings are similar to the settings of the Yubico authenticator. Just run the Google Authenticator app on your phone and scan a QR code from the terminal. Then, choose "Add Account" and the app will start generating verification codes every 30 seconds.
Enter a code when the Termius app requests a verification code.