Setting up the YubiKey on Ubuntu

I’ve recently had a chance to check out some newer YubiKeys, and decided to make a video on it. In this video, I’ll show you how to set up the YubiKey on Linux, with examples that include setting it up on your local laptop/desktop as well as using it to secure OpenSSH to a remote server.

YouTube player

Using the YubiKey to protect local authentication

Make sure up to date

 sudo apt update && sudo apt dist-upgrade

Install the required PAM package

sudo apt install libpam-u2f

Create a directory to store the configuration

 mkdir -p ~/.config/Yubico

Associate the yubikey

pamu2fcfg > ~/.config/Yubico/u2f_keys

Enable the YubiKey for sudo

Open the sudo config file for PAM in an editor:

sudo nano /etc/pam.d/sudo

Underneath the line:

@include common-auth


auth   required

Test sudo

In a new terminal, test any command with sudo (make sure the yubikey is inserted). For example:

sudo apt update

Set up the YubiKey for GDM (the desktop login screen)

Open the gdm-password file in an editor:

sudo nano /etc/pam.d/gdm-password

Underneath the line:

 @include common-auth


auth    required

Set up Yubikey to be required for TTY login

Open the PAM login file in an editor:

sudo nano /etc/pam.d/login

Underneath the line:

@include common-auth


auth  required

Using the YubiKey to protect remote authentication

Add the required repository

 sudo add-apt-repository ppa:yubico/stable

Install the required package

sudo apt install libpam-yubico

Set up the authorized_yubikeys file

sudo nano /etc/ssh/authorized_yubikeys

Add a line for each users, similar to:

jay:<first 12 characters 

Get an API key

An API key is required to continue. Visit the following URL to get yours:

Edit the sshd file for PAM

 sudo vim /etc/pam.d/sshd

Add a line such as the following (This must be the first line in the file):

auth required id=<CLIENT ID> key=<SECRET> authfile=/etc/ssh/authorized_yubikeys

Replace the <CLIENT ID> and <SECRET> with the details you receive from the API key URL.

Configure OpenSSH

Open the sshd_config file in an editor:

sudo nano /etc/ssh/sshd_config

Look for the ChallengeResponseAuthentication line, uncomment it if necessary, and set it to yes:

ChallengeResponseAuthentication yes

Make sure the UsePAM option is set to yes:

UsePam yes

Restart OpenSSH:

sudo systemctl restart ssh

Notable Replies

  1. Hello, Thanks for your videos they’ve been a great help learning Linux. I was configuring my new Yubikeys. But also as you’ve suggested always add backups. I’ve been able to add backups for everything so far except the PAM step:

    pamu2fcfg > ~/.config/Yubico/u2f_keys

    When performing this command to sink my keys with the system it only works on the last key I ran the command on. My first key no longer works to authorize access. Was there possibly an alternate command that would add the backup vs overwrite the original key? Thanks again.

    System: Pop OS 21.10

  2. If you use >> instead of >, then it will append rather than overwrite your file.

  3. Avatar for jay jay says:

    An updated Yubikey video is very close to being done…

    The current edit is around 54 minutes!

Continue the discussion at

2 more replies


Avatar for Buffy Avatar for configure7918 Avatar for system Avatar for Emmanuel Avatar for jay