Yubikey: Difference between revisions
imported>Riotbib m Remove irrelevant space characters |
imported>Friedow No edit summary |
||
| Line 29: | Line 29: | ||
== Logging-in == | == Logging-in == | ||
To use your yubikey as a user login or for sudo access you'll have to install a PAM (Pluggable Authentication Module) for your yubikey. | |||
=== pam_u2f === | |||
The `pam_u2f` module implements the U2F (universal second factor) protocol. The protocol was initially developed by Yubico, Google and NXP and is nowadays hosted as an open-standard by the FIDO Alliance. All current and most legacy Yubikeys support the U2F protocol making this the preferred way to use Yubikeys for user login. | |||
Use this page to check whether your Yubikey supports '''FIDO U2F''' before starting: https://www.yubico.com/products/identifying-your-yubikey/ | |||
1. Connect your Yubikey | |||
2. Create an authorization mapping file for your user. The authorization mapping file is like `~/.ssh/known_hosts` but for Yubikeys. | |||
# <code>nix-shell -p pam_u2f</code> | |||
# <code>mkdir -p ~/.config/Yubico</code> | |||
# <code>pamu2fcfg > ~/.config/Yubico/u2f_keys</code> | |||
3. Verify that `~/.config/Yubico/u2f_keys` contains one line in the following style: | |||
# <code><username>:<KeyHandle1>,<UserKey1>,<CoseType1>,<Options1>:<KeyHandle2>,<UserKey2>,<CoseType2>,<Options2>:...</code> | |||
4. Enable the u2f PAM module for login and sudo requests | |||
<syntaxHighlight lang=nix> | |||
security.pam.services = { | |||
login.u2fAuth = true; | |||
sudo.u2fAuth = true; | |||
}; | |||
</syntaxHighlight> | |||
PAM U2F Docs: https://developers.yubico.com/pam-u2f/ | |||
=== yubico-pam === | |||
The `yubico-pam` module uses a OTP (one time password) challenge response to authenticate users. | |||
Use this page to check whether your Yubikey supports '''Yubico OTP''' before starting: https://www.yubico.com/products/identifying-your-yubikey/ | |||
You can enable challenge-response logins with: | You can enable challenge-response logins with: | ||