YubiKey Support

Last updated 24 days ago

Do you support YubiKey for the 2nd factor auth?

Termius for Android supports Yubikey authentication, if you set it up together with Google Authenticator on your host as the 2nd factor of authentication.

Only devices with NFC hardware support this type of authentication.

Setting up Yubikey Authentication for Termius Android

Step 1 - Set up Google Authenticator on the server

1.Run

sudo apt install libpam-google-authenticator

2. Run to create a new secret key

google-authenticator

3. Answer yes to “Do you want authentication tokens to be time-based?”.

As the result, you will see a QR-code that we will scan using the Yubico mobile app to add this key to Yubikey. Don’t close the terminal yet.

Step 2 - Add the key to Yubico Authenticator

1. Install (from Google Play) and run Yubico Authenticator. You will see the Yubico Authenticator screen.

Tap +.

2. Choose SCAN QR-CODE on the bottom. Scan the QR-code generated in the step 1.

After that, you will see the screen with the key parameters.

4. Tap SAVE. The app will ask to tap or insert your Yubikey to the device NFC module.

5. Get your YubiKey closer to the NFC module and wait for data to transfer (1-2 sec). After vibrating a few times you will se the list of saved keys.

Now the physical key YubiKey contains the data to auth to the host, but the host setup still needs to be complete.

Step 2 - Set up the Server

This step involves returning to the terminal to configure the SSH daemon and enable 2FA authentication.

For that:

1. Open sshd config file

sudo nano /etc/ssh/sshd_config

2. Make sure the following parameters are set up to yes:

  • UsePAM

  • ChallengeResponseAuthentication

3. Save the file and restart the SSH daemon:

sudo systemctl restart ssh

4. Now, to configure the pam module open:

sudo nano /etc/pam.d/sshd

5. And at the end of the file add this line:

auth required pam_google_authenticator.so

6. Save the configuration and close.

Now when connecting to this host with SSH after the password prompt, the terminal will require entering a one-time code from Yubikey.

Step 4 - Connect to the host with Termius

The process of connecting to a host using Yubikey is not much different from a regular SSH connection. At the time of connection, Termius simply asks you to enter the authorization code or use your Yubikey:

Get your Yubikey closer to the NFC module and the process of authorization will continue automatically.

And after a successful connection, you'll see the terminal screen:

Using Google Authenticator instead of YubiKey

You can use the Google Authenticator app instead of a physical Yubikey. The app settings are similar to the settings of the Yubico authenticator. Just run the Google Authenticator app on your phone and scan a QR code from the terminal. Then, choose "Add Account" and the app will start generating verification codes every 30 seconds.

Enter a code when the Termius app requests a verification code.