$ cat x2go-ssh.txt
setting up a yubikey with x2go (sshd/pam)

- debian 11
- yubikey4
- pam
- api_id from https://upgrade.yubico.com/getapikey/

install pam module
 # apt-get install libpam-yubico

create auth file for users
 # cat /etc/yubikey/id
 ::<2nd otp device>:<3rd otp device>

create auth file with sufficient (or required for 2fa)
 # cat /etc/pam.d/yubikey 
 auth sufficient /usr/lib/security/pam_yubico.so id= debug authfile=/etc/yubikey/id

update pam sshd config to include yubikey before common-auth
 # grep -A3 yubikey sshd
 @include yubikey

 # Standard Un*x authentication.
 @include common-auth

edit sshd_config to enable challenge response
 # grep '^ChallengeResponseAuthentication' /etc/ssh/sshd_config
 ChallengeResponseAuthentication yes

restart sshd
 # systemctl restart sshd

NOTES:
- do not enable the pam module for yubikey, the defaults will update common-auth and break general auth
- clean up old ssh authorized keys, you no longer use the ssh authorized_keys file, this is overridden by the yubico authorized_keys file