Yubikey

From the Linux and Unix Users Group at Virginia Tech Wiki
Jump to: navigation, search

The Yubikey is a security token, intended to be used for two-factor authentication, that emulates a keyboard to enter one-time passwords generated using an AES encryption key embedded on the device. There is also support for static passwords and HMAC-SHA1 challenge/response authentication. The newest Yubikey models (4 and Neo) also support U2F, a standard created by the FIDO Alliance for strong 2nd factor authentication. Yubikey supports OAUTH TOTP and HOTP standards for one-time passwords as well, and can be used with open PGP and PIV digital signatures and encryption. Some models also support these features over NFC with Android devices. Yubico, the company which sells the Yubikey, also provides software for many 2FA purposes.

PAM two-factor Yubikey One-Time Password authentication

Note: Make sure you have at least one user that is able to login without a Yubikey; if you are not able to connect to the Internet, you will not be able to use your Yubikey, as it relies on the Yubicloud servers run by Yubico, unless you change the key configuration.

  • Install pam_yubico for your desired Linux distribution.
  • Create a yubikey group if one does not exist already:
sudo groupadd yubikey
  • Add the users that you would like to authenticate to this group like this:
sudo usermod -aG yubikey username
  • Each user must have a ~/.yubico/authorized_yubikeys file for Yubikey authentication to work. You can create one like this:
mkdir .yubico
chmod 0700 .yubico
nano .yubico/authorized_yubikeys

Type your username, followed by a colon, then insert and press your Yubikey. Delete all but the first 12 characters of your one time password generated by your Yubikey. For example, if your one-time password was

ccccaaaabbbbddddeeeeffffgggghhhhbiiiijjjjkkk

Then your file should look like

username:ccccaaaabbbb

Note that you can assign multiple Yubikeys to your account; simply separate the 12-character token IDs with colons, like so:

username:ccccaaaabbbb:ccccfabhhhhh
  • The next step depends on your distribution due to differing PAM configuration formats.
    • If you are on Debian or Ubuntu, add the lines below to the top of /etc/pam.d/common-auth to enable Yubikey authentication for all applications that use PAM system authentication.
    • If you are on Arch Linux, Fedora, CentOS, or Scientific Linux, add the lines below to the top of /etc/pam.d/system-auth to enable Yubikey authentication for all applications that use PAM system authentication.
auth [success=1 default=ignore] pam_succeed_if.so quiet user notingroup yubikey
auth required pam_yubico.so id=YUBI_ID key=YUBI_KEY

Replace YUBI_ID with the ID and YUBI_KEY with the key you received in the previous step.

Using an alternate keymap such as Dvorak

Add this section to your xorg configuration:

Section "InputClass"
 Identifier      "yubikey"
 MatchIsKeyboard "on"
 MatchVendor     "Yubico"
 MatchProduct    "Yubico Yubikey II"
 Driver          "evdev"
 Option          "XkbRules" "evdev"
 Option          "XkbModel" "pc105"
 Option          "XkbLayout" "us"
 Option          "XkbVariant" "basic"
EndSection

SELinux

If you are using SELinux, you may experience problems with logging in from the console because /sbin/login is typically not permitted to make outgoing TCP connections. To fix this, you will need to add a SELinux exception; as root

grep login /var/log/audit/audit.log | audit2allow -M pamyubico
semodule -i pamyubico.pp

i3lock

i3lock does not appear to currently have support for two-factor OTP authentication. You will need to customize /etc/pam.d/i3lock to set yubikey authentication to sufficient or you can remove it entirely. Otherwise, you may not be able to unlock your screen.

sshd

If you would like to enable authentication over SSH using your Yubikey, edit /etc/ssh/sshd_config and make sure the following configuration settings are set:

ChallengeResponseAuthentication yes
PasswordAuthentication no
UsePAM yes

After editing the configuration, restart sshd.

Unfortunately, you cannot use two-factor Yubikey authentication in combination with SSH public key authentication at the current time; you must pick one.

PAM two-factor HMAC-SHA1 authentication

Note: This will make use of slot 2 of your Yubikey. You cannot also use it to store a static password.

HMAC-SHA1 authentication may be a better choice for Dvorak users or laptops that aren't guaranteed to have Internet access as authentication is done without keyboard emulation or Internet access. Most, but not all, programs are compatible with this method. Since this method requires direct hardware access, it will never be possible to use with ssh.

  • Install pam_yubico for your desired distribution.
  • Edit /etc/pam.d/system-auth (or /etc/pam.d/common-auth, depending on your distribution) and place this at the top of the file:
auth [success=1 default=ignore] pam_succeed_if.so quiet user notingroup yubikey
auth		required	pam_yubico.so mode=challenge-response
  • Insert your Yubikey and run this command to program slot 2:
sudo ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible
  • Create a yubikey group and add users you would like to authenticate using a Yubikey to it like this:
sudo groupadd yubikey
sudo usermod -aG yubikey username
  • Run this command to set the current user up for Yubikey login:
ykpamcfg -2 -v

If you get a permissions error, follow the instructions under i3lock below.

  • Finally, log out and attempt to log in. You will notice that you are prompted only for username and password, but Yubikey authentication is still taking place. To confirm, remove your Yubikey and attempt to login.

i3lock

  • Because /etc/pam.d/i3lock includes login, you can simply ensure that the yubikey line is included in this file.
  • Create the file /etc/udev/rules.d/90-yubikey.rules and place this in it:
SUBSYSTEMS=="usb", ATTR{product}=="Yubico Yubikey II", MODE="0660", GROUP="yubikey"
  • Run sudo udevadm control --reload to restart udev and reload your rules.
  • Lock your computer with i3lock as you normally would. Your Yubikey will now be required along with your password to unlock your screen.

Automatic Screen Locking (i3lock, slock, etc.)

This locks the screen when the yubikey is removed.

  • Put this in /etc/udev/rules.d/90-yubikey.rules
ATTR{product}!="Yubico Yubikey II", GOTO="yubikey_end"
ACTION=="remove", RUN+="/usr/local/bin/ykgone"
LABEL="yubikey_end"
  • Put this in /usr/local/bin/ykgone:
#!/bin/bash
if [ -z "$(lsusb | grep Yubikey)" ] ; then
	/bin/su yourusername -c /usr/local/bin/lock
fi

The test is needed because the script is run whenever the yubikey is polled for challenge-response authentication (because this causes it to change modes from USB HID to serial and back again), and we only want to lock the screen when the key is actually removed. Note that if you have yubikey auth enabled in /etc/pam.d/su, it must come after auth sufficient pam_rootok.so.

  • Put your script to lock the screen in /usr/local/bin/lock. You must set DISPLAY=:0 to have the screen locker work correctly if you're not using a daemonized locker such as xscreensaver or gnome-screensaver.

U2F (Universal Second Factor) with Duo 2FA (Yubikey NEO and 4 only)

Key Preparation

To use U2F on the yubikey, one must first enable U2F mode (only supported on NEO and 4). The U2F-only yubikey and the yubikey edge already supports U2F out of the box, and Yubikeys purchased from the VT Bookstore also have U2F enabled.

From the yubikey personalization client man page:

YubiKey Neo only
      -m mode
          set device configuration for the YubiKey. It is parsed in the form mode:cr_timeout:autoeject_timeout where mode is:

          0
              OTP device only.

          1
              CCID device only.

          2
              OTP/CCID composite device.

          3
              U2F device only.

          4
              OTP/U2F composite device.

          5
              U2F/CCID composite device.

          6
              OTP/U2F/CCID composite device. Add 80 to set MODE_FLAG_EJECT, for example: 81

              cr_timeout is the timeout in seconds for the YubiKey to wait on button press for challenge response (default is 15)

              autoeject_timeout is the timeout in seconds before the card is automatically ejected in mode 81

      -n URI
          Program NFC NDEF URI

      -t text
          Program NFC NDEF text

The -m flag applies to the yubikey 4 as well. Use this to enable U2F. U2F is also supported over NFC for the NEO.

Install Packages

You will likely need to install the u2f udev rules for it to work. Ubuntu ships with these udev rules.

  • For Fedora: dnf install libu2f-host
  • For ArchLinux: pacman -S libu2f-host

Using with Virginia Tech 2-Factor (Duo)

There are two ways to use two factor with CAS login. Both will require Chrome (Chromium may work, but is currently untested). Option 2 allows Firefox usage after the initial setup.

1. Open Chrome. When logging in using CAS, the Duo popup will open asking what source to use for two factor. On the sidebar, click add device. It will want to confirm using an existing method first. Then, select that you want to enroll a U2F token. Follow the instructions onscreen to enroll. Once completed, you can just tap your Yubikey (or other U2F token) to authenticate.

2. This is only if you want to use Firefox and still want to use U2F. First, setup U2F using Chrome. Then, download the Firefox U2F extension and UAControl. Setup UAControl to send a Chrome User Agent to login.vt.edu instead of the normal Firefox one, and it should then allow you to use 2FA under Firefox.

See the Arch Wiki for more information.

External links