Yubikey: Difference between revisions

Line 20:

=== pam_u2f ===

The `pam_u2f` module implements the U2F (universal second factor) protocol. The protocol was initially developed by Yubico, Google and NXP and is nowadays hosted as an open-standard by the FIDO Alliance. All current and most legacy Yubikeys support the U2F protocol making this the preferred way to use Yubikeys for user login.

The <code>pam_u2f</code> module implements the U2F (universal second factor) protocol. The protocol was initially developed by Yubico, Google and NXP and is nowadays hosted as an open-standard by the FIDO Alliance. All current and most legacy Yubikeys support the U2F protocol making this the preferred way to use Yubikeys for user login.

Use this page to check whether your Yubikey supports '''FIDO U2F''' before starting: https://www.yubico.com/products/identifying-your-yubikey/

Line 26:

1. Connect your Yubikey

2. Create an authorization mapping file for your user. The authorization mapping file is like `~/.ssh/known_hosts` but for Yubikeys.

2. Create an authorization mapping file for your user. The authorization mapping file is like <code>~/.ssh/known_hosts</code> but for Yubikeys.

# <code>nix-shell -p pam_u2f</code>

Line 34:

3. Verify that `~/.config/Yubico/u2f_keys` contains one line in the following style:

3. Verify that <code>~/.config/Yubico/u2f_keys</code> contains one line in the following style:

Line 58:

=== yubico-pam ===

The `yubico-pam` module uses a OTP (one time password) challenge response to authenticate users.

The <code>yubico-pam</code> module uses a OTP (one time password) challenge response to authenticate users.

Use this page to check whether your Yubikey supports '''Yubico OTP''' before starting: https://www.yubico.com/products/identifying-your-yubikey/

Line 68:

to get the serial code and enter it into <code>yubico.id = [ "12345678" ];</code>

~~'''WARNING, ignoring~~ step 1 is considered insecure, any user could just plugin a yubikey and gain root access!~~'''~~

{{warning|1 Ignoring step 1 is considered insecure, any user could just plugin a yubikey and gain root access!}}

'''2.)'''<syntaxHighlight lang=nix>

@@ Line 20: / Line 20: @@
 === pam_u2f ===
-The `pam_u2f` module implements the U2F (universal second factor) protocol. The protocol was initially developed by Yubico, Google and NXP and is nowadays hosted as an open-standard by the FIDO Alliance. All current and most legacy Yubikeys support the U2F protocol making this the preferred way to use Yubikeys for user login.
+The <code>pam_u2f</code> module implements the U2F (universal second factor) protocol. The protocol was initially developed by Yubico, Google and NXP and is nowadays hosted as an open-standard by the FIDO Alliance. All current and most legacy Yubikeys support the U2F protocol making this the preferred way to use Yubikeys for user login.
 Use this page to check whether your Yubikey supports '''FIDO U2F''' before starting: https://www.yubico.com/products/identifying-your-yubikey/
@@ Line 26: / Line 26: @@
 . Connect your Yubikey
-. Create an authorization mapping file for your user. The authorization mapping file is like `~/.ssh/known_hosts` but for Yubikeys.
+. Create an authorization mapping file for your user. The authorization mapping file is like <code>~/.ssh/known_hosts</code> but for Yubikeys.
 # <code>nix-shell -p pam_u2f</code>
@@ Line 34: / Line 34: @@
-. Verify that `~/.config/Yubico/u2f_keys` contains one line in the following style:
+. Verify that <code>~/.config/Yubico/u2f_keys</code> contains one line in the following style:
 <syntaxHighlight>
@@ Line 58: / Line 58: @@
 === yubico-pam ===
-The `yubico-pam` module uses a OTP (one time password) challenge response to authenticate users.
+The <code>yubico-pam</code> module uses a OTP (one time password) challenge response to authenticate users.
 Use this page to check whether your Yubikey supports '''Yubico OTP''' before starting: https://www.yubico.com/products/identifying-your-yubikey/
@@ Line 68: / Line 68: @@
 to get the serial code and enter it into <code>yubico.id = [ "12345678" ];</code>
-'''WARNING, ignoring step 1 is considered insecure, any user could just plugin a yubikey and gain root access!'''
+{{warning|1 Ignoring step 1 is considered insecure, any user could just plugin a yubikey and gain root access!}}
 '''2.)'''<syntaxHighlight lang=nix>