Match group yubikey
# ForceCommand /usr/local/bin/yubikey.sh
And the mobileverification.sh sends a randomly generated 4 digit pin code to the phone number that user has saved in ~/.ssh/mobile_number and asks them to enter it.
Edit: in case anyone is interested, mobileverification.sh at http://pastie.org/pastes/2579517/text?key=tv1xciwdubnwi165fz... and yubikey.sh at http://pastie.org/pastes/2579528/text?key=krpmwrivbvrjmx0xb3...
Edit2: It's worth pointing out that both those scripts were written fairly quickly by me, for basic personal use. If you want to use them I would recommend going through them and making sure I didn't screw anything up.
Just to be clear to anyone reading, because it's not really explained:
* OP double-protects the SSH key. It means you need the key's passphrase and another factor (Google authenticator) to decrypt the ssh key. Then the ssh key is used to auth with the server.
=> the authentication with the server is still one factor auth, compromising the key at any level still grants access.
=> obligatory analogy: OP did like that: put your car key in a box that also has a key. Attacker just need a copy of the key in the box to open the door (granted that he won't use any physical attack on the door :p)
=> 2 (or more) factor authentication should always be used on the component that does the final authentication.
* People using ForceCommand apply the 2 factor at the last step of authentication, that is, once the ssh key authenticated you correctly, you still need to authenticate to something else before being given access.
=> obligatory analogy: now you have a key and a cellphone. you turn the key in the car and the door doesn't fully unlock. you gotta enter a code given by the cellphone before it actually opens. if the attacker get a copy of your key, it's not enough. if the attacker gets a copy of your phone's passcode (even thus it changes each time), its not enough.
This is not correct. You can't decrypt a key with a one time password.
The OP is requiring a the second factor(the OTP) after the key is sent to the server and authenticated.
Doesn't ForceCommand do exactly the same thing except it allows you to do it globally?
Additionally, if you don't want to pay for SMS you could send an email to your cell number.
# groupadd yubikey
# usermod -G yubikey USERNAME
# echo "yubikeyid" >> /home/USERNAME/.ssh/trusted_yubikeys
# (yubikeyid is first 12 characters of the OTP)
# chmod 755 /usr/local/bin/yubikey.sh
# (this file is /usr/local/bin/yubikey.sh)
# echo "Match group yubikey" >> /etc/ssh/sshd_config
# echo " ForceCommand /usr/local/bin/yubikey.sh" >> /etc/ssh/sshd_config
# (that's a tab before ForceCommand)
# /etc/init.d/ssh restart
It's the I'd of your specific Yubikey - I'm on my phone on a train right now, but off the top of my head it is the first 12 characters that get printed when you use your Yubikey. Pretty sure it's 12, anyway.
Look up the Match command, you can limit ForceCommand and many others to a specific "User, Group, Host and Address."
logger -p authpriv.notice "Some message about authentication"
I guess I found a serious security problem.
When logging ssh commands with '-vT', I can see the secret. The secret should be hard coded in the two_factor script.
debug1: Remote: Forced command.