Introduction

According to wikipedia:

The YubiKey is a hardware authentication device manufactured by Yubico that supports one-time passwords, public key encryption and authentication, and the Universal 2nd Factor (U2F) protocol developed by the FIDO Alliance (FIDO U2F). It allows users to securely log into their accounts by emitting one-time passwords or using a FIDO-based public/private key pair generated by the device. YubiKey also allows for storing static passwords for use at sites that do not support one-time passwords. Facebook uses YubiKey for employee credentials, and Google supports it for both employees and users. Some password managers support YubiKey.

PAM capability

For Debian:

apt install -y libpam-u2f
mkdir -p ~/.config/Yubico
pamu2fcfg -u"$(whoami)" > ~/.config/Yubico/u2f_keys
man pam_u2f

Then edit /etc/pam.d/common-auth:

...
auth    sufficient                      pam_u2f.so cue
auth    [success=1 default=ignore]      pam_unix.so nullok_secure try_first_pass
...

The above configuration would allow using either password or the yubikey to do authentication. The cue option would prompt a message to remind to touch the device. However the prompt is written to stdout instead of stderr.

PIV capability

I use i3lock as lock screen program. It use pam so everything works just fine. And I wrote some scripts to lock screen when unplugging yubikey.

The /etc/udev/rules.d/70-yubikey.rules file:

ACTION=="remove", SUBSYSTEM=="usb", ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}=="0407", RUN+="/bin/bash /home/fugoes/.dotfiles/bin/usb-remove.sh"

If the udev rules file is a softlink, you need to manually tirgger a reload with udevadm control --reload, and with every reboot, a reload is also needed.

The /home/fugoes/.dotfiles/bin/usb-remove.sh file (a dirty hack…):

#!/bin/bash
export DISPLAY=:0.0
export XAUTHORITY="/home/fugoes/.Xauthority"

is_shift_down() {
    xinput --list|
    grep "slave *keyboard"|
    sed -r 's/.*id=([[:digit:]]+).*/\1/'|
    {
        while read num; do
            if xinput --query-state "$num"|grep -q 'key\[50\]=down'; then
                exit 0
            fi
        done
        exit 1
    }
}

is_shift_down || systemctl --no-block start i3lock.service

If you unplug yubikey with left shift key down, the screen lock would not be triggered. What’s more, DO NOT run daemon or long task with udev rules. It would kill child process after the script executed.

GPG smartcard capability

YubiKey 4 could be used as a GPG smartcard which could store 4096bit RSA private keys. Here is a great guide. Notice that, keytocard would move the key to the card, and if you save after this command, your private keys which have been moved to the card in GPGHOME would be deleted. Please do backup before keytocard!

U2F capability

Firefox do have native support for U2F now. Just enable security.webauth.u2f in about:config. And google’s products now support u2f functionality in Firefox.

OTP capability

TODO