Using YubiKeys for your linux system
You can use your Yubikey 4 or 5 for the rest of the tutorial.
If you mark your Yubikey presence is required to unlock your computer, then one not only needs your password, they will have to gain physical access to your Yubikey.
Install the required packages
$ sudo dnf install ykclient* ykpers* pam_yubico*
Getting the Yubikey(s) ready
Connect the Yubikey to your system, and see if it is not getting detected.
$ ykinfo -v version: 5.2.7
If the system can not find the Yubikey, then it will show the following error.
Yubikey core error: no yubikey present
Then, for each of the Yubikey, we have the run the following command once:
$ ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -ochal-btn-trig -oserial-api-visible Firmware version 4.2.7 Touch level 517 Program sequence 1 Configuration data to be written to key configuration 2: fixed: m: uid: n/a key: h:9d97972ff90267d7cff02b49d41f85a68325805c acc_code: h:000000000000 OATH IMF: h:0 ticket_flags: CHAL_RESP config_flags: CHAL_HMAC|HMAC_LT64|CHAL_BTN_TRIG extended_flags: SERIAL_API_VISIBLE Commit? (y/n) [n]: y
Here we are configuring the slot 2, with challenge-response mode, and HMAC (even less than 64 bytes), and also saying that the human has to touch the physical key by providing CHAL_BTN_TRIG, also making the serial API visible.
$ ykpamcfg -2 -v debug: util.c:219 (check_firmware_version): YubiKey Firmware version: 5.2.7 Sending 63 bytes HMAC challenge to slot 2 Sending 63 bytes HMAC challenge to slot 2 Stored initial challenge and expected response in '/home/kdas/.yubico/challenge-16038846'.
Remember to touch the key button twice after the command sends in 63 bytes, the LED on the key should blink that that time.
Setting up GDM
Now, we can mark that the Yubikey must be present during login, and after touching the key, one still has to type in the password, or for lesser security context, one needs either the Yubikey or password to login.
For the first scenario, add the following to the
file, just above the
auth substack password-auth line.
auth required pam_yubico.so mode=challenge-response
If you want either password or Yubikey to work, then replace
Verify the setup
You will have to logout of Gnome, and then when you click your username while relogin, you will notice that the Yubikey is blinking. Touch it, and then enter password to complete login.
To setup sudo
The similar configuration changes required to be made in
But, remember to keep the
sudo session open in one terminal, then try to test
sudo command in another one. Just in case :)
To learn more about the pam configuration, read