I’ve recently had a chance to check out some newer YubiKeys, and decided to make a video on it. In this video, I’ll show you how to set up the YubiKey on Linux, with examples that include setting it up on your local laptop/desktop as well as using it to secure OpenSSH to a remote server.
Using the YubiKey to protect local authentication
Make sure up to date
sudo apt update && sudo apt dist-upgrade
Install the required PAM package
sudo apt install libpam-u2f
Create a directory to store the configuration
mkdir -p ~/.config/Yubico
Associate the yubikey
pamu2fcfg > ~/.config/Yubico/u2f_keys
Enable the YubiKey for sudo
Open the sudo config file for PAM in an editor:
sudo nano /etc/pam.d/sudo
Underneath the line:
@include common-auth
Add:
auth required pam_u2f.so
Test sudo
In a new terminal, test any command with sudo (make sure the yubikey is inserted). For example:
sudo apt update
Set up the YubiKey for GDM (the desktop login screen)
Open the gdm-password file in an editor:
sudo nano /etc/pam.d/gdm-password
Underneath the line:
@include common-auth
Add:
auth required pam_u2f.so
Set up Yubikey to be required for TTY login
Open the PAM login file in an editor:
sudo nano /etc/pam.d/login
Underneath the line:
@include common-auth
Add:
auth required pam_u2f.so
Using the YubiKey to protect remote authentication
Add the required repository
sudo add-apt-repository ppa:yubico/stable
Install the required package
sudo apt install libpam-yubico
Set up the authorized_yubikeys file
sudo nano /etc/ssh/authorized_yubikeys
Add a line for each users, similar to:
jay:<first 12 characters
Get an API key
An API key is required to continue. Visit the following URL to get yours: https://upgrade.yubico.com/getapikey
Edit the sshd file for PAM
sudo vim /etc/pam.d/sshd
Add a line such as the following (This must be the first line in the file):
auth required pam_yubico.so id=<CLIENT ID> key=<SECRET> authfile=/etc/ssh/authorized_yubikeys
Replace the <CLIENT ID> and <SECRET> with the details you receive from the API key URL.
Configure OpenSSH
Open the sshd_config file in an editor:
sudo nano /etc/ssh/sshd_config
Look for the ChallengeResponseAuthentication line, uncomment it if necessary, and set it to yes:
ChallengeResponseAuthentication yes
Make sure the UsePAM option is set to yes:
UsePam yes
Restart OpenSSH:
sudo systemctl restart ssh
Hello, Thanks for your videos they’ve been a great help learning Linux. I was configuring my new Yubikeys. But also as you’ve suggested always add backups. I’ve been able to add backups for everything so far except the PAM step:
pamu2fcfg > ~/.config/Yubico/u2f_keys
When performing this command to sink my keys with the system it only works on the last key I ran the command on. My first key no longer works to authorize access. Was there possibly an alternate command that would add the backup vs overwrite the original key? Thanks again.
System: Pop OS 21.10
If you use
>>instead of>, then it will append rather than overwrite your file.An updated Yubikey video is very close to being done…
The current edit is around 54 minutes!