Differences

This shows you the differences between two versions of the page.

--- gear:yubi [2024/07/05 02:56] – Humphrey Boa-Gart
+++ gear:yubi [2024/09/28 09:54] (current) – [Two-Factor Sudo] Humphrey Boa-Gart
@@ Line 1: / Line 1: @@
 ====== YubiKey ======
-**YubiKey** is a [[gear:security key]] - A hardware-based [[security:2fa|2FA device]] manufactured by **Yubico** to protect access to computers, networks, and online services that supports one-time passwords (OTP), public-key cryptography, and authentication, and the Universal 2nd Factor (U2F) and FIDO2 protocols. They come in a handful of form factors, but the key feature is on all of them: Someone has to be there, in person. to touch the button and release the key, or authentication just doesn't work.
+**YubiKey** is a line of [[gear:security key|security keys]] manufactured by **Yubico**. They are hardware-based [[security:2fa|2FA devices]] designed to protect access to computers, networks, and online services that supports one-time passwords (OTP), public-key cryptography, and authentication, and the Universal 2nd Factor (U2F) and FIDO2 protocols. They come in a handful of form factors, but the key feature you need is on all of them: Someone has to be there - in person - to touch the button and release the key, or you shall not pass.
+===== Installation =====
+There are a lot of things made for these keys, but the two main packages you are looking for are the cross-platform [[https://www.yubico.com/support/download/yubikey-manager/|YubiKey Manager]] and [[https://www.yubico.com/products/yubico-authenticator/|Yubico Authenticator]].
-{{tag>Gear Security Stubs}}
+  * **YubiKey Manager** is what configures the YubiKey itself.
+  * **Yubico Authenticator** is a [[security:2fa|2FA authentication app]], much like the ones that Google & Microsoft make, except it stores things on the YubiKey itself instead of on your phone.
+===== Advanced Magick =====
+There are all sorts of [[https://www.yubico.com/support/download/|official tools]] for various other things you can bolt your YubiKey into, like your login screen and enterprise networks.
+==== Two-Factor Sudo ====
+In **Linux**, you can use Yubi passwordless authentication on the ''sudo'' and ''su'' commands //(and others)//. You can also use it in 2FA mode, where you will be required to enter your password **and** touch your Yubikey. Instructions for both are outlined below:
+== Install Dependencies ==
+First, make sure the prerequisite PAM packages are installed. On Debian/Ubuntu you can grab them all with apt. You may need to hunt them down yourself on other distros.
+  $ sudo apt install libpam-u2f libpam-yubico pamu2fcfg
+== Setup ==
+  - Plug-in Yubikey and run ''mkdir ~/.config/Yubico''
+  - Type ''pamu2fcfg > ~/.config/Yubico/u2f_keys'' to add your Yubikey to the list of accepted Yubikeys
+    * //(optional)// Register additional keys with: ''pamu2fcfg -n >> ~/.config/Yubico/u2f_keys''
+  - Open the PAM sudo config: ''sudo nano /etc/pam.d/sudo''
+    * **For passwordless sudo:** Add ''auth sufficient pam_u2f.so cue [cue_prompt=Tap key to continue...]'' //before// ''@include common-auth''
+    * **OR for 2FA sudo:** Add ''auth required pam_u2f.so cue [cue_prompt=Tap key to continue...]'' //after// ''@include common-auth''
+  - Save file **//and do not close nano!//**
+  - Confirm the changes work by running ''sudo echo SUCCESS'' in a second terminal window. If it works, you can close nano. If it doesn't work, you did something wrong - Revert your changes to pam.d/sudo and try again.
+You can make these same changes to other PAM configuration files while you are at it. Repeat **Step 3** on ''/etc/pam.d/su'' and ''/etc/pam.d/sudo-i'' to enable Yubikey authentication on those commands as well!
+{{tag>Gear Security}}

User Tools

Site Tools

Differences