Setting up the YubiKey on Ubuntu

From LearnLinux.tv Wiki
Revision as of 09:31, 27 October 2020 by Jay (talk | contribs) (→‎Test sudo)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Overview

I've recently had a chance to check out some newer YubiKeys, and decided to make a video on it. In this video, I'll show you how to set up the YubiKey on Linux, with examples that include setting it up on your local laptop/desktop as well as using it to secure OpenSSH to a remote server.

Relevant Links
Original Video
Yubico documentation for the YubiKey

Using the YubiKey to protect local authentication

Make sure up to date

 sudo apt update && sudo apt dist-upgrade

Install the required PAM package

 sudo apt install libpam-u2f

Create a directory to store the configuration

 mkdir -p ~/.config/Yubico

Associate the yubikey

 pamu2fcfg > ~/.config/Yubico/u2f_keys

Enable the YubiKey for sudo

Open the sudo config file for PAM in an editor:

 sudo nano /etc/pam.d/sudo

Underneath the line:

 @include common-auth

Add:

 auth   required    pam_u2f.so

Test sudo

In a new terminal, test any command with sudo (make sure the yubikey is inserted). For example:

 sudo apt update

Set up the YubiKey for GDM (the desktop login screen)

Open the gdm-password file in an editor:

 sudo nano /etc/pam.d/gdm-password

Underneath the line:

 @include common-auth

Add:

 auth    required    pam_u2f.so

Set up Yubikey to be required for TTY login

Open the PAM login file in an editor:

 sudo nano /etc/pam.d/login

Underneath the line:

 @include common-auth

Add:

 auth  required    pam_u2f.so


Using the YubiKey to protect remote authentication

Add the required repository

 sudo add-apt-repository ppa:yubico/stable

Install the required package

 sudo apt install libpam-yubico

Set up the authorized_yubikeys file

 sudo nano /etc/ssh/authorized_yubikeys

Add a line for each users, similar to:

 jay:<first 12 characters 

Get an API key

An API key is required to continue. Visit the following URL to get yours: https://upgrade.yubico.com/getapikey

Edit the sshd file for PAM

 sudo vim /etc/pam.d/sshd

Add a line such as the following (This must be the first line in the file):

 auth required pam_yubico.so id=<CLIENT ID> key=<SECRET> authfile=/etc/ssh/authorized_yubikeys

Replace the <CLIENT ID> and <SECRET> with the details you receive from the API key URL.

Configure OpenSSH

Open the sshd_config file in an editor:

 sudo nano /etc/ssh/sshd_config

Look for the ChallengeResponseAuthentication line, uncomment it if necessary, and set it to yes:

 ChallengeResponseAuthentication yes

Make sure the UsePAM option is set to yes:

 UsePam yes

Restart OpenSSH:

 sudo systemctl restart ssh