To set up a Yubikey 2FA in Apache:

First, install the mod_authn_yubikey using your package repository. Looks like the source is available here.

Next, get your yubikey identify which is the first 12 digits of your yubikey output (eg: ccccccabcdef).

Create a password file. It requires 3 things: your yubikey identity, your username, and your password:

htpasswd -csb /etc/apache2/.htaccess.ykUserDb ccccccabcdef username:password

For additional accounts, leave out the -c option (just -sb)

In the apache config, add this:

AuthType Basic
AuthBasicProvider yubikey
AuthName "Authenticate with Yubikey"
AuthYubiKeyTimeout 1800
AuthYubiKeyTmpFile /tmp/ykTmpDb
AuthYubiKeyUserFile /etc/apache2/.htpasswd.ykUserDb
AuthYubiKeyRequireSecure On
AuthYubiKeyExternalErrorPage Off
Require valid-user

The /tmp/ykTmpDb is a cache file. The way HTTPAuth works, every request is sent with the same username and password, but the way OTPs work, the password only works one time… so each request would need a separate Yubikey token. So the plugin caches the yubikey authentication for a period of time. In this case the timeout is 1800 seconds, so each new yubikey authentication will keep your browser logged in for 30 minutes. Adjust as necessary. Also, the RequireSecure option will prevent authentications on HTTP, and the ExternalErrorPage=Off means it will use its built-in error pages as opposed to Apache’s normal error pages.

To authenticate in the browser, username is the username. Password is the password followed by your yubikey output with nothing in between. For example, if your username was “alice” and your password was “spaghetti”, you would enter:

Username: alice
Password spaghetticcccccabcdefxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx