Yubikey
The Yubikey is a security token, intended to be used for two-factor authentication, that emulates a keyboard to enter one-time passwords generated using an AES encryption key embedded on the device. There is also support for static passwords and HMAC-SHA1 challenge/response authentication. The newest Yubikey models (4 and Neo) also support U2F, a standard created by the FIDO Alliance for strong 2nd factor authentication. Yubikey supports OAUTH TOTP and HOTP standards for one-time passwords as well, and can be used with open PGP and PIV digital signatures and encryption. Some models also support these features over NFC with Android devices. Yubico, the company which sells the Yubikey, also provides software for many 2FA purposes.
Contents
PAM two-factor Yubikey One-Time Password authentication
Note: Make sure you have at least one user that is able to login without a Yubikey; if you are not able to connect to the Internet, you will not be able to use your Yubikey, as it relies on the Yubicloud servers run by Yubico, unless you change the key configuration.
- Install pam_yubico for your desired Linux distribution.
- Create a yubikey group if one does not exist already:
sudo groupadd yubikey
- Add the users that you would like to authenticate to this group like this:
sudo usermod -aG yubikey username
- Each user must have a ~/.yubico/authorized_yubikeys file for Yubikey authentication to work. You can create one like this:
mkdir .yubico chmod 0700 .yubico nano .yubico/authorized_yubikeys
Type your username, followed by a colon, then insert and press your Yubikey. Delete all but the first 12 characters of your one time password generated by your Yubikey. For example, if your one-time password was
ccccaaaabbbbddddeeeeffffgggghhhhbiiiijjjjkkk
Then your file should look like
username:ccccaaaabbbb
Note that you can assign multiple Yubikeys to your account; simply separate the 12-character token IDs with colons, like so:
username:ccccaaaabbbb:ccccfabhhhhh
- Next, you will need to register for a Yubico API key. Make note of the id and key as you will need them for the next step.
- The next step depends on your distribution due to differing PAM configuration formats.
- If you are on Debian or Ubuntu, add the lines below to the top of /etc/pam.d/common-auth to enable Yubikey authentication for all applications that use PAM system authentication.
- If you are on Arch Linux, Fedora, CentOS, or Scientific Linux, add the lines below to the top of /etc/pam.d/system-auth to enable Yubikey authentication for all applications that use PAM system authentication.
auth [success=1 default=ignore] pam_succeed_if.so quiet user notingroup yubikey auth required pam_yubico.so id=YUBI_ID key=YUBI_KEY
Replace YUBI_ID with the ID and YUBI_KEY with the key you received in the previous step.
Using an alternate keymap such as Dvorak
Add this section to your xorg configuration:
Section "InputClass" Identifier "yubikey" MatchIsKeyboard "on" MatchVendor "Yubico" MatchProduct "Yubico Yubikey II" Driver "evdev" Option "XkbRules" "evdev" Option "XkbModel" "pc105" Option "XkbLayout" "us" Option "XkbVariant" "basic" EndSection
SELinux
If you are using SELinux, you may experience problems with logging in from the console because /sbin/login is typically not permitted to make outgoing TCP connections. To fix this, you will need to add a SELinux exception; as root
grep login /var/log/audit/audit.log | audit2allow -M pamyubico semodule -i pamyubico.pp
i3lock
i3lock does not appear to currently have support for two-factor OTP authentication. You will need to customize /etc/pam.d/i3lock to set yubikey authentication to sufficient or you can remove it entirely. Otherwise, you may not be able to unlock your screen.
sshd
If you would like to enable authentication over SSH using your Yubikey, edit /etc/ssh/sshd_config and make sure the following configuration settings are set:
ChallengeResponseAuthentication yes PasswordAuthentication no UsePAM yes
After editing the configuration, restart sshd.
Unfortunately, you cannot use two-factor Yubikey authentication in combination with SSH public key authentication at the current time; you must pick one.
PAM two-factor HMAC-SHA1 authentication
Note: This will make use of slot 2 of your Yubikey. You cannot also use it to store a static password.
HMAC-SHA1 authentication may be a better choice for Dvorak users or laptops that aren't guaranteed to have Internet access as authentication is done without keyboard emulation or Internet access. Most, but not all, programs are compatible with this method. Since this method requires direct hardware access, it will never be possible to use with ssh.
- Install pam_yubico for your desired distribution.
- Edit /etc/pam.d/system-auth (or /etc/pam.d/common-auth, depending on your distribution) and place this at the top of the file:
auth [success=1 default=ignore] pam_succeed_if.so quiet user notingroup yubikey auth required pam_yubico.so mode=challenge-response
- Insert your Yubikey and run this command to program slot 2:
sudo ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible
- Create a yubikey group and add users you would like to authenticate using a Yubikey to it like this:
sudo groupadd yubikey sudo usermod -aG yubikey username
- Run this command to set the current user up for Yubikey login:
ykpamcfg -2 -v
If you get a permissions error, follow the instructions under i3lock below.
- Finally, log out and attempt to log in. You will notice that you are prompted only for username and password, but Yubikey authentication is still taking place. To confirm, remove your Yubikey and attempt to login.
i3lock
- Because /etc/pam.d/i3lock includes login, you can simply ensure that the yubikey line is included in this file.
- Create the file /etc/udev/rules.d/90-yubikey.rules and place this in it:
SUBSYSTEMS=="usb", ATTR{product}=="Yubico Yubikey II", MODE="0660", GROUP="yubikey"
- Run
sudo udevadm control --reload
to restart udev and reload your rules. - Lock your computer with i3lock as you normally would. Your Yubikey will now be required along with your password to unlock your screen.
Automatic Screen Locking (i3lock, slock, etc.)
This locks the screen when the yubikey is removed.
- Put this in /etc/udev/rules.d/90-yubikey.rules
ATTR{product}!="Yubico Yubikey II", GOTO="yubikey_end" ACTION=="remove", RUN+="/usr/local/bin/ykgone" LABEL="yubikey_end"
- Put this in /usr/local/bin/ykgone:
#!/bin/bash if [ -z "$(lsusb | grep Yubikey)" ] ; then /bin/su yourusername -c /usr/local/bin/lock fi
The test is needed because the script is run whenever the yubikey is polled for challenge-response authentication (because this causes it to change modes from USB HID to serial and back again), and we only want to lock the screen when the key is actually removed. Note that if you have yubikey auth enabled in /etc/pam.d/su, it must come after auth sufficient pam_rootok.so
.
- Put your script to lock the screen in /usr/local/bin/lock. You must set DISPLAY=:0 to have the screen locker work correctly if you're not using a daemonized locker such as xscreensaver or gnome-screensaver.
U2F (Universal Second Factor) with Duo 2FA (Yubikey NEO and 4 only)
To use U2F on the yubikey, one must first enable U2F mode (only supported on NEO and 4). The U2F-only yubikey already supports U2F out of the box
From the yubikey personalization client man page:
YubiKey Neo only -m mode set device configuration for the YubiKey. It is parsed in the form mode:cr_timeout:autoeject_timeout where mode is: 0 OTP device only. 1 CCID device only. 2 OTP/CCID composite device. 3 U2F device only. 4 OTP/U2F composite device. 5 U2F/CCID composite device. 6 OTP/U2F/CCID composite device. Add 80 to set MODE_FLAG_EJECT, for example: 81 cr_timeout is the timeout in seconds for the YubiKey to wait on button press for challenge response (default is 15) autoeject_timeout is the timeout in seconds before the card is automatically ejected in mode 81 -n URI Program NFC NDEF URI -t text Program NFC NDEF text
The -m
flag applies to the yubikey 4 as well. Use this to enable U2F. I do not know if U2F is supported over NFC for the NEO
For Duo, U2F devices can be self-registered, however it only can be used on Chrome. See the Arch Wiki