Revision 24 as of 2021-01-25 15:14:49

Clear message

Contents

  1. Passwords
    1. One time passwords Mobile
    2. One time passwords Desktop
      1. Debian cli
  2. Use SSH
    1. Change codes
    2. Generate certificates
    3. Configuration
        1. Debian
        2. Archlinux
        3. Mac OS X
    4. SSH Agent
  3. Passwordless login
  4. U2F PAM / Sudo
    1. Debian / Ubuntu
  5. Disk Encryption
    1. LUKS
  6. More information

Passwords

One time passwords Mobile

One time passwords Desktop

Debian cli

Use SSH

Change codes

To use this, it's recommended that you put a PIN, a PUK and a management code on your Yubikey. To do this, start the GUI, or use the following commands: 

ykman piv change-pin
ykman piv change-puk
ykman piv change-management-key

The default codes for a new Yubikey are:

For more info about PIN, PUK, and Management keys, follow this link

Generate certificates

Now making the Yubikey understand SSH. Generate the private key, certificate and the public SSH-key. 

ykman piv generate-key -a RSA2048 9a pubkey.pem

ykman piv generate-certificate -d 1826 -s "SSH Key" 9a pubkey.pem

ssh-keygen -i -m PKCS8 -f pubkey.pem > pubkey.txt

Configuration

Debian

Make sure yubikey-manager and opensc-pkcs11 is installed: 

sudo apt-get install yubikey-manager opensc-pkcs11

Add on top to your SSH config file ~/.ssh/config: 

PKCS11Provider /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so

Archlinux

Add on top to your SSH config file ~/.ssh/config: 

PKCS11Provider /usr/lib/opensc-pkcs11.so

Mac OS X

For MacOSX, there's more to do: 

brew install opensc

sudo ln `brew list opensc |grep lib/opensc-pkcs11.so` /usr/local/lib/opensc-pkcs11.so

PKCS11Provider /usr/local/lib/opensc-pkcs11.so

And that's enough to make ssh possible.

SSH Agent

To be found out.

Passwordless login

Ubuntu

U2F PAM / Sudo

Debian / Ubuntu

Source High-Availability Obsession

  1. Install necessary packages

    • sudo apt-get install libpam-u2f pamu2fcfg

  2. Get config line for the U2F PAM module Plug in your yubuikey, run this command and then touch your key

    • pamu2fcfg -u 'whoami' -opam://'hostname' -ipam://'hostname' < Replace the quotes with backticks  `

    • The output should look like username:base64,hex

  3. Installing the pam config
    • In a separate terminal, become root
    • Put the config line you created in /etc/u2f_mappings
    • If you have multiple keys, repeat step 2, and put the output after the first string, separated by a colon (:)
  4. Setup /etc/sudoers
    • If you want to require the user touching the yubikey for every sudo call (immediate timeout), do the following:

    • As root, run visudo

    • After Defaults env_reset put ,timestamp_timeout=0

    • Save and exit editor
  5. Setup /etc/pam.d/sudo

    • Edit /etc/pam.d/sudo

    • Put the following line at the top of the file: (Below the shebang)

    • auth [success=done new_authtok_reqd=done default=die] pam_u2f.so origin=pam://$HOSTNAME appid=pam://$HOSTNAME authfile=/etc/u2f_mappings cue

    • Save and exit editor.

Disk Encryption

LUKS

Source

LUKS is the standard for Linux disk encryption, and can easily be installed while setting up a system using i.e. the Debian installer. During LUKS setup, set a 'normal' passphrase, this can be used as a backup for when you lose your yubikey. Furthermore, the following installation has to be executed on the running system, so you'll need the passphrase to unlock the disk before continuing.

More information

CategoryHardware