Changes
no edit summary
The '''Yubikey''' is a [[w:security token|security token]], intended to be used for [[w:Two-factor authentication|two-factor authentication]], that emulates a keyboard to enter one-time passwords generated using an AES encryption key embedded on the device. There is also support for static passwords and [[w:HMAC|HMAC-SHA1]] challenge/response authentication. The newest Yubikey models (4 and Neo) also support [https://developers.yubico.com/U2F/ U2F], a standard created by the [https://fidoalliance.org/ FIDO Alliance] for strong 2nd factor authentication. Yubikey supports OAUTH TOTP and HOTP standards for one-time passwords as well, and can be used with open PGP and PIV digital signatures and encryption. Some models also support these features over NFC with Android devices. Yubico, the company which sells the Yubikey, also provides [https://developers.yubico.com/Software_Projects/ software] for many 2FA purposes.
PAM modules for the Yubikey make it possible to use it for single or multi-factor authentication schemes on workstations and servers. Of most interest are libpam-yubikey and libpam-u2f, but libpam-pkcs11, libpam-radius-auth, and several htop/totp modules are also likely usable with the yubikey.
== PAM two-factor Yubikey One-Time Password authentication ==
After editing the configuration, restart sshd.
== PAM two-factor HMAC-SHA1 authentication ==
The test is needed because the script is run whenever the yubikey is polled for challenge-response authentication (because this causes it to change modes from USB HID to serial and back again), and we only want to lock the screen when the key is actually removed. Note that if you have yubikey auth enabled in /etc/pam.d/su, it must come after <code>auth sufficient pam_rootok.so</code>.
* Put your script to lock the screen in /usr/local/bin/lock. You must set DISPLAY=:0 to have the screen locker work correctly if you're not using a daemonized locker such as xscreensaver or gnome-screensaver.
== PGP Keys ==
It is best to see [https://wiki.archlinux.org/index.php/Yubikey#Enabling_OpenPGP_smartcard_mode this section] in the arch wiki for details; with configuration, it is possible to use your PGP keyring as an ssh key, too.
== U2F (Universal Second Factor) with Duo [[gp:2FA|2FA]] (Yubikey NEO and 4 only) ==
[[w:Universal 2nd Factor|U2F]] is a new standard from the FIDO alliance for use in web-browsers; it is based on a challenge-response protocol. The most interesting services currently supporting it are Github, Google, and Virginia Tech's Duo Two-factor.
===Key Preparation===
===Using with Virginia Tech 2-Factor (Duo)===
There are two ways to use two factor with CAS Shibboleth ''login''. Both will require Chrome (or Chromium may work, but is currently untested). Option 2 allows Firefox usage after the initial setup.
1. Open Chrome. When logging in using CAS, the Duo popup will open asking what source to use for two factor. On the sidebar, click add device. It will want to confirm using an existing method first. Then, select that you want to enroll a U2F token. Follow the instructions onscreen to enroll. Once completed, you can just tap your Yubikey (or other U2F token) to authenticate.
[[Category:Howtos]]
[[Category:Hardware]]
