Hardening SSH with 2FA

Log in for the first time: Now, when we ssh to the bastion host, we can ensure that the SSH agent can only be trampolined to other hosts within the VPC, but any attempt to programatically use from the outside the forwarded agent (or loaded in-memory keys) to access a bastion will fail because no TOTP from the separate mobile device was provided. Follow these instructions from a Linux host to set up a basic working hardened YubiKey SSH key:

Hardening to prevent a rogue host from authenticating without your permission

Hardening in case your security key is stolen

Default user pin is and admin pin is , change both of them to something more secure; they can both be the same PIN. Within the secure shell app’s configuration screen for the bastion host:

You’ll then enter the user PIN when prompted, and tap the security key to confirm when logging into the bastion.

Source: gist.github.com