Adding Yubikey 2-factor authentication to SSH and sudo in Debian

Throughout 2014 and 2015 I have been adding two-factor authentication to Debian and Ubuntu servers (SSH, sudo) for some of my customers, using Yubikeys as the authentication device and OTP as the auth method. It's quite straightforward to integrate Yubikey OTP auth into Debian SSH servers, provided you are using Debian 7 (Wheezy) or higher, and that you can use the version of OpenSSH from the Backports repository.

This guide will work for SSH auth, as well as for other server-side tasks such as the use of sudo.


Kippo deb package updated to 0.8

I have updated my Kippo Debian package to be using the latest 0.8 release of Kippo and also to run on the current Debian stable release, 'Wheezy'.


1. Add this line to /etc/apt/sources.list or create a new file called /etc/apt/sources.list.d/mig5.list

deb wheezy main

2. My repo is signed with my GPG public key. To fetch the key:


Kippo deb package updated

The Debian package that I made for Kippo last year, was a few commits behind (though not by much!).

When recently firing up a fresh Kippo sensor, I realised there were some bugs in the postinst script on a fresh install - additionally, there were some other bugs when removing and re-installing Kippo.

These have been fixed, and the Kippo package is now in-line with revision r219 of the subversion repo maintained by desaster.


Kippo deb package

I've built a basic kippo Debian package and dropped it into my personal Debian repository, .

If you're not aware, Kippo is an SSH honeypot written in Python (using Twisted). Read more at

It's pretty basic to install by hand, but I wanted to build some systems to install Kippo automatically using Puppet, so I wrote a deb.


Got a weird DNS issue that's stumped me.

Here's a good one.

dns2 is primary nameserver for a local zone ''. Running Debian Lenny, bind9, nothing unusual. Update this zone to add a Xen guest recently provisioned at the datacentre. Reload dns with rndc reload, the updated zone is transferred to the slave nameserver, which is dns1 (yeah I don't know why either, what's in a name).


Subscribe to RSS - debian