Table of Contents
YubiKey
YubiKey is a line of security keys manufactured by Yubico. They are hardware-based 2FA devices designed to protect access to computers, networks, and online services that supports one-time passwords (OTP), public-key cryptography, and authentication, and the Universal 2nd Factor (U2F) and FIDO2 protocols. They come in a handful of form factors, but the key feature you need is on all of them: Someone has to be there - in person - to touch the button and release the key, or you shall not pass.
Installation
There are a lot of things made for these keys, but the two main packages you are looking for are the cross-platform YubiKey Manager and Yubico Authenticator.
- YubiKey Manager is what configures the YubiKey itself.
- Yubico Authenticator is a 2FA authentication app, much like the ones that Google & Microsoft make, except it stores things on the YubiKey itself instead of on your phone.
Advanced Magick
There are all sorts of official tools for various other things you can bolt your YubiKey into, like your login screen and enterprise networks.
Two-Factor Sudo
In Linux, you can use Yubi passwordless authentication on the sudo
and su
commands (and others). You can also use it in 2FA mode, where you will be required to enter your password and touch your Yubikey. Instructions for both are outlined below:
Install Dependencies
First, make sure the prerequisite PAM packages are installed. On Debian/Ubuntu you can grab them all with apt. You may need to hunt them down yourself on other distros.
$ sudo apt install libpam-u2f libpam-yubico pamu2fcfg
Setup
- Plug-in Yubikey and run
mkdir ~/.config/Yubico
- Type
pamu2fcfg > ~/.config/Yubico/u2f_keys
to add your Yubikey to the list of accepted Yubikeys- (optional) Register additional keys with:
pamu2fcfg -n » ~/.config/Yubico/u2f_keys
- Open the PAM sudo config:
sudo nano /etc/pam.d/sudo
- For passwordless sudo: Add
auth sufficient pam_u2f.so cue [cue_prompt=Tap key to continue…]
before@include common-auth
- OR for 2FA sudo: Add
auth required pam_u2f.so cue [cue_prompt=Tap key to continue…]
after@include common-auth
- Save file and do not close nano!
- Confirm the changes work by running
sudo echo SUCCESS
in a second terminal window. If it works, you can close nano. If it doesn't work, you did something wrong - Revert your changes to pam.d/sudo and try again.
You can make these same changes to other PAM configuration files while you are at it. Repeat Step 3 on /etc/pam.d/su
and /etc/pam.d/sudo-i
to enable Yubikey authentication on those commands as well!
Find this page online at: https://bestpoint.institute/gear/yubi