Setting Up 2-factor authentication on backtrack5 (or Kali) sshd with a Yubikey

First of all, if you haven’t heard of a yubikey, check out

For about $35 you can purchase a usb key called a yubikey, which can provide OTP (One-Time-Password) capabilities to various services, such as lastpass password manager ( and also challenge-response and/or a LONG static key.

For this article, I will be setting up sshd in backtrack5 to use 2-factor authentication-using your normal password as the first and a OTP (One-Time-Password) from your yubikey to their authentication servers as the second (this requires both machines to be connected to the Internet which usually isn’t a problem-but if you want to set up challenge-response offline authentication there are some instructions here:

Yubico has instructions which I followed here but I will list the commands I used and go into a little more detail:

Ok Step 1: download and build the yubico-c-client:

install yubico-c-client from git (commands are in bold and output has been truncated):

root@bt:~# git clone git://
root@bt:~# cd yubico-c-client/
root@bt:~/yubico-c-client# autoreconf –install
root@bt:~/yubico-c-client# ./configure
root@bt:~/yubico-c-client# make check
root@bt:~/yubico-c-client# make install

Step 2: download and install yubico-pam module. I find it is easier to add the repository then to build from git because then you don’t have to worry about all the dependencies.

root@bt:~# apt-get install python-software-properties
root@bt:~# add-apt-repository ppa:yubico/stable
root@bt:~# apt-get update
root@bt:~# apt-get install libpam-yubico
Step 3: Create token id mapping file:

root@bt:~# mkdir .yubico
root@bt:~# nano authorized_yubikeys
plug in your yubikey
type root: (or username) then press yubikey button
delete all characters after the first 12 (your id is the first 12 characters)
type control+o, press enter then control+xenter
Step 4: Edit /etc/pam.d/sshd

comment this out:
#auth required # [1] change next directive to be:
auth required id=16 debug authfile=/root/.yubico/authorized_yubikeys

Step 5: Edit /etc/pam.d/common-auth

add “try_first_pass to this line”:
auth [success=2 default=ignore] nullok_securetry_first_pass

Step 6: Edit /etc/ssh/sshd_config

uncomment this line:
PasswordAuthentication yes

then type in a terminal: ssh restart

this is assuming you already set backtrack up for ssh service by running “sshd-generate” then update-rc.d -f ssh defaults (in a terminal) if you want sshd to startup on boot….

Step 7: Now test it out

typing your password and hitting enter should get you denied
root@localhost‘s password:
Permission denied, please try again.

but typing your password then pressing the button on the yubikey should let you in:

root@localhost‘s password:
Linux bt 3.2.6 #1 SMP Fri Feb 17 10:34:20 EST 2012 x86_64 GNU/Linux

System information as of Tue Jun 25 17:29:07 EDT 2013

System load: 0.03 Processes: 165
Usage of /: 34.7% of 41.19GB Users logged in: 1
Memory usage: 1%
Swap usage: 0%

Last login: Tue Jun 25 16:52:49 2013