Setting up the YubiKey on Ubuntu

I’ve recently had a chance to check out some newer YubiKeys, and decided to make a video on it. In this video, I’ll show you how to set up the YubiKey on Linux, with examples that include setting it up on your local laptop/desktop as well as using it to secure OpenSSH to a remote server.

YouTube player

Using the YubiKey to protect local authentication

Make sure up to date

 sudo apt update && sudo apt dist-upgrade

Install the required PAM package

sudo apt install libpam-u2f

Create a directory to store the configuration

 mkdir -p ~/.config/Yubico

Associate the yubikey

pamu2fcfg > ~/.config/Yubico/u2f_keys

Enable the YubiKey for sudo

Open the sudo config file for PAM in an editor:

sudo nano /etc/pam.d/sudo

Underneath the line:

@include common-auth

Add:

auth   required    pam_u2f.so

Test sudo

In a new terminal, test any command with sudo (make sure the yubikey is inserted). For example:

sudo apt update

Set up the YubiKey for GDM (the desktop login screen)

Open the gdm-password file in an editor:

sudo nano /etc/pam.d/gdm-password

Underneath the line:

 @include common-auth

Add:

auth    required    pam_u2f.so

Set up Yubikey to be required for TTY login

Open the PAM login file in an editor:

sudo nano /etc/pam.d/login

Underneath the line:

@include common-auth

Add:

auth  required    pam_u2f.so

Using the YubiKey to protect remote authentication

Add the required repository

 sudo add-apt-repository ppa:yubico/stable

Install the required package

sudo apt install libpam-yubico

Set up the authorized_yubikeys file

sudo nano /etc/ssh/authorized_yubikeys

Add a line for each users, similar to:

jay:<first 12 characters 

Get an API key

An API key is required to continue. Visit the following URL to get yours: https://upgrade.yubico.com/getapikey

Edit the sshd file for PAM

 sudo vim /etc/pam.d/sshd

Add a line such as the following (This must be the first line in the file):

auth required pam_yubico.so id=<CLIENT ID> key=<SECRET> authfile=/etc/ssh/authorized_yubikeys

Replace the <CLIENT ID> and <SECRET> with the details you receive from the API key URL.

Configure OpenSSH

Open the sshd_config file in an editor:

sudo nano /etc/ssh/sshd_config

Look for the ChallengeResponseAuthentication line, uncomment it if necessary, and set it to yes:

ChallengeResponseAuthentication yes

Make sure the UsePAM option is set to yes:

UsePam yes

Restart OpenSSH:

sudo systemctl restart ssh

LPI Course Now Available!

Support Linux Learning and get yourself some cool Linux swag!

Check out the Shop!

Support Linux Learning and get yourself some cool Linux swag!

Support Linux Learning

Consider becoming a Patron and/or Channel Member to receive exclusive perks!


Receive 5% off an LPI exam voucher!