Passwords

One time passwords Mobile

• Download the app 'authenticator' from the appstore or playstore.

• Insert your Yubikey in your phone.
• Right top, tap the + sign
• Add your OTP key

One time passwords Desktop

• Download the app 'authenticator' from the website

• Insert your Yubikey in your computer.
• Right top, tap the + sign.
• Add your OTP key.

Debian cli

• Make sure yubikey-manager is intalled (apt-get install yubikey-manager)

• Insert your yubikey in your computer

• In a terminal, run ykman oath list to list all present credentials

• To generate a code, run `ykman oath code <credentialname> (in quotes if the name contains a space) and touch your key.

Use SSH

Change codes

To use this, it's recommended that you put a PIN, a PUK and a management code on your Yubikey. To do this, start the GUI, or use the following commands:

ykman piv change-pin
ykman piv change-puk
ykman piv change-management-key

The default codes for a new Yubikey are:

• PIN: 123456
• PUK: 12345678
• Management: 010203040506070801020304050607080102030405060708

For more info about PIN, PUK, and Management keys, follow this link

Generate certificates

Now making the Yubikey understand SSH. Generate the private key, certificate and the public SSH-key.

• Generate a private key (EC will not work at the moment)

ykman piv generate-key -a RSA2048 9a pubkey.pem

• Generate a certificate

ykman piv generate-certificate -d 1826 -s "SSH Key" 9a pubkey.pem

• Convert the certificate to a ssh key

ssh-keygen -i -m PKCS8 -f pubkey.pem > pubkey.txt

Configuration

Debian

Make sure yubikey-manager and opensc-pkcs11 is installed:

sudo apt-get install yubikey-manager opensc-pkcs11 

Add on top to your SSH config file ~/.ssh/config:

PKCS11Provider /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so

Archlinux

Add on top to your SSH config file ~/.ssh/config:

PKCS11Provider /usr/lib/opensc-pkcs11.so

Mac OS X

For MacOSX, there's more to do:

• Make sure you run brew

• Install opensc:

brew install opensc

• Link the right library:

sudo ln `brew list opensc |grep lib/opensc-pkcs11.so` /usr/local/lib/opensc-pkcs11.so

• And add on top to your SSH config file ~/.ssh/config:

PKCS11Provider /usr/local/lib/opensc-pkcs11.so

And that's enough to make ssh possible.

SSH Agent

To be found out.

Passwordless login

Ubuntu

U2F PAM / Sudo

Debian / Ubuntu

Source High-Availability Obsession

1. Install necessary packages

   sudo apt-get install libpam-u2f pamu2fcfg

2. Get config line for the U2F PAM module Plug in your yubuikey, run this command and then touch your key

   pamu2fcfg -u 'whoami' -opam://'hostname' -ipam://'hostname' < Replace the quotes with backticks  `

Disk Encryption

LUKS

Source

LUKS is the standard for Linux disk encryption, and can easily be installed while setting up a system using i.e. the Debian installer. During LUKS setup, set a 'normal' passphrase, this can be used as a backup for when you lose your yubikey. Furthermore, the following installation has to be executed on the running system, so you'll need the passphrase to unlock the disk before continuing.

• The following method has been tested on Debian 4.19 with a yubikey NEO

• Run sudo fdisk -l | grep crypt to see on which drive your LUKS container exists. If it returns something like /dev/mapper/sda5_crypt, the drive should be sda5.

• Run sudo cryptsetup luksDump /dev/[partition] to check which key slots are in use. Usualy only slot 0 will be in use.

• Install yubikey-luks by running sudo apt-get install yubikey-luks

More information

• https://wiki.archlinux.org/index.php/YubiKey A lot of information about linux and yubikey.

• https://archive.fosdem.org/2018/schedule/event/smartcards_in_linux/attachments/slides/2265/export/events/attachments/smartcards_in_linux/slides/2265/smart_cards_slides.pdf FosDem presentation

CategoryHardware