Some 7 years back, I wrote a guide to requiring a Yubikey OTP for SSH logins on CentOS. In the time that's passed, the process has changed (a little), so this documentation provides an updated reference.
Although this is written (and tested) for CentOS 8, it should work equally well on CentOS 7 (and presumably also Rocky Linux) too.
The (increased compared to my previous post) flexibility of Yubikeys, along with their relative ubiquity makes them a fantastic candidate for two-factor authentication tokens. Modern Yubikeys can do U2F as well as using their proprietary mechanism, allowing them to be used with a wide range of software.
By the end of this documentation, we'll have configured a CentOS 8 server to require that a user provides a Yubikey press along with
- Username AND
- Account password, OR
- Authorised SSH key
For brevities sake, the majority of this documentation assumes you want root to manage user's yubikeys - something Yubico call Administrative level managment - switching between the two is relatively straight forward, so details on how to switch "User Level" will be given at the end of the document.