User Tools

Site Tools

gear:yubi

YubiKey

YubiKey is a line of security keys manufactured by Yubico. They are hardware-based 2FA devices designed to protect access to computers, networks, and online services that supports one-time passwords (OTP), public-key cryptography, and authentication, and the Universal 2nd Factor (U2F) and FIDO2 protocols. They come in a handful of form factors, but the key feature you need is on all of them: Someone has to be there - in person - to touch the button and release the key, or you shall not pass.

Installation

There are a lot of things made for these keys, but the two main packages you are looking for are the cross-platform YubiKey Manager and Yubico Authenticator.

  • YubiKey Manager is what configures the YubiKey itself.
  • Yubico Authenticator is a 2FA authentication app, much like the ones that Google & Microsoft make, except it stores things on the YubiKey itself instead of on your phone.

Advanced Magick

There are all sorts of official tools for various other things you can bolt your YubiKey into, like your login screen and enterprise networks.

Two-Factor Sudo

In Linux, you can use Yubi passwordless authentication on the sudo and su commands (and others). You can also use it in 2FA mode, where you will be required to enter your password and touch your Yubikey. Instructions for both are outlined below:

Install Dependencies

First, make sure the prerequisite PAM packages are installed. On Debian/Ubuntu you can grab them all with apt. You may need to hunt them down yourself on other distros.

$ sudo apt install libpam-u2f libpam-yubico pamu2fcfg
Setup
  1. Plug-in Yubikey and run mkdir ~/.config/Yubico
  2. Type pamu2fcfg > ~/.config/Yubico/u2f_keys to add your Yubikey to the list of accepted Yubikeys
    • (optional) Register additional keys with: pamu2fcfg -n » ~/.config/Yubico/u2f_keys
  3. Open the PAM sudo config: sudo nano /etc/pam.d/sudo
    • For passwordless sudo: Add auth sufficient pam_u2f.so cue [cue_prompt=Tap key to continue…] before @include common-auth
    • OR for 2FA sudo: Add auth required pam_u2f.so cue [cue_prompt=Tap key to continue…] after @include common-auth
  4. Save file and do not close nano!
  5. Confirm the changes work by running sudo echo SUCCESS in a second terminal window. If it works, you can close nano. If it doesn't work, you did something wrong - Revert your changes to pam.d/sudo and try again.

You can make these same changes to other PAM configuration files while you are at it. Repeat Step 3 on /etc/pam.d/su and /etc/pam.d/sudo-i to enable Yubikey authentication on those commands as well!

gear/yubi.txt · Last modified: 2024/09/28 05:54 by Humphrey Boa-Gart

Find this page online at: https://bestpoint.institute/gear/yubi