Changes
no edit summary
The '''Yubikey''' is a [[w:security token|security token]], intended to be used for [[w:Two-factor authentication|two-factor authentication]], that emulates a keyboard to enter one-time passwords generated using an AES encryption key embedded on the device. There is also support for static passwords and [[w:HMAC|HMAC-SHA1]] challenge/response authentication. The newest Yubikey models (4 and Neo) also support [https://developers.yubico.com/U2F/ U2F], a standard created by the [https://fidoalliance.org/ FIDO Alliance] for strong 2nd factor authentication. Yubikey supports OAUTH TOTP and HOTP standards for one-time passwords as well, and can be used with open PGP and PIV digital signatures and encryption. Some models also support these features over NFC with Android devices. Yubico, the company which sells the Yubikey, also provides [https://developers.yubico.com/Software_Projects/ software] for many 2FA purposes.
PAM modules for the Yubikey make it possible to use it for single or multi-factor authentication schemes on workstations and servers. Of most interest are libpam-yubikey and libpam-u2f, but libpam-pkcs11, libpam-radius-auth, and several htop/totp modules are also likely usable with the yubikey. == PAM two-factor Yubikey One-Time Password authentication =='''Note:''' Make sure you have at least one user that is able to login without a Yubikey; if you are not able to connect to the Internet, you will not be able to use your Yubikey,as it relies on the [https://developers.yubico.com/Software_Projects/YubiKey_OTP/YubiCloud_Validation_Servers/ Yubicloud] servers run by Yubico, unless you change the key configuration.
* Install [https://github.com/Yubico/yubico-pam pam_yubico] for your desired Linux distribution.
After editing the configuration, restart sshd.
== PAM two-factor HMAC-SHA1 authentication ==
The test is needed because the script is run whenever the yubikey is polled for challenge-response authentication (because this causes it to change modes from USB HID to serial and back again), and we only want to lock the screen when the key is actually removed. Note that if you have yubikey auth enabled in /etc/pam.d/su, it must come after <code>auth sufficient pam_rootok.so</code>.
* Put your script to lock the screen in /usr/local/bin/lock. You must set DISPLAY=:0 to have the screen locker work correctly if you're not using a daemonized locker such as xscreensaver or gnome-screensaver.
== PGP Keys ==
It is best to see [https://wiki.archlinux.org/index.php/Yubikey#Enabling_OpenPGP_smartcard_mode this section] in the arch wiki for details; with configuration, it is possible to use your PGP keyring as an ssh key, too.
== U2F (Universal Second Factor) with Duo [[gp:2FA|2FA]] (Yubikey NEO and 4 only) ==
[[w:Universal 2nd Factor|U2F]] is a new standard from the FIDO alliance for use in web-browsers; it is based on a challenge-response protocol. The most interesting services currently supporting it are Github, Google, and Virginia Tech's Duo Two-factor.
===Key Preparation===To use U2F on the yubikey, one must first enable U2F mode (only supported on NEO and 4). The U2F-only yubikey and the yubikey edge already supports U2F out of the box, and Yubikeys purchased from the VT Bookstore also have U2F enabled.
From the yubikey [https://www.archlinux.org/packages/community/x86_64/yubikey-personalization/ personalization client] man page:
Program NFC NDEF text
The <code> -m </code> flag applies to the yubikey 4 as well. Use this to enable U2F. I do not know if U2F is also supported over NFC for the NEO. ===Install Packages===You will likely need to install the u2f udev rules for it to work. Ubuntu ships with these udev rules. * For Fedora: <code>dnf install libu2f-host</code>* For ArchLinux: <code>pacman -S libu2f-host</code> ===Using with Virginia Tech 2-Factor (Duo)===There are two ways to use two factor with Shibboleth ''login''. Both will require Chrome or Chromium . Option 2 allows Firefox usage after the initial setup. 1. Open Chrome. When logging in using CAS, the Duo popup will open asking what source to use for two factor. On the sidebar, click add device. It will want to confirm using an existing method first. Then, select that you want to enroll a U2F token. Follow the instructions onscreen to enroll. Once completed, you can just tap your Yubikey (or other U2F token) to authenticate. 2. This is only if you want to use Firefox and still want to use U2F. First, setup U2F using Chrome. Then, download the Firefox U2F extension and UAControl. Setup UAControl to send a Chrome User Agent to login.vt.edu instead of the normal Firefox one, and it should then allow you to use 2FA under Firefox.
== External links ==
[[Category:Howtos]]
[[Category:Hardware]]
