A YubiKey is a hardware authentication device that can be used for various one-time password (OTP) and authentication methods. This article explains some of the ways to use the the YubiKey4 with Fedora. Other versions may be incompatible or require additional configuration.
Note: There is a newer version of this article available here: https://fedoramagazine.org/how-to-use-a-yubikey-with-fedora-linux/
What is a YubiKey?
From the Yubico site: “A YubiKey is a small device that you register with a service or site that supports two-factor authentication. Two-factor authentication means that each time you log in, the service will request proof that you have your YubiKey in addition to your regular username and password. Phishing, malware, and other attack methods don’t work because they would need both your physical key and your passwords to breach your accounts.”
Two-factor authentication with the Yubico Authenticator tool
The Yubico Authenticator tool lets you generate OATH one-time password codes with your YubiKey. It can store up to 32 OATH event-based HOTP and time-based TOTP credentials on the device itself, which makes it easy to use across multiple computers. The software is freely available in Fedora in the `
GPG smartcard for SSH authentication
The YubiKey4 contains an OpenPGP smartcard applet, which lets you import and GPG keys on the hardware. You can also use these keys for SSH authentication to remote machines with the `
You’ll first want to go through the “Importing Keys” instructions for setting up your GPG keys. Then there is a great guide created by a number of Fedora contributors for configuring GPG and GNOME to use your YubiKey as a GPG smartcard for SSH authentication.
FIDO Universal 2nd Factor
U2F is an open authentication standard that enables internet users to securely access any number of online services, with one single device, instantly and with no drivers or client software needed.
Fedora ships the `
Authentication with PAM
You can use your YubiKey to log in to your Fedora machines by configuring PAM with the pam_yubico module. There are detailed instructions for how to do this on the Fedora Wiki.
Other resources
- Git GPG signing
- How to use your YubiKey with GitHub
- YubiKey Personalization Tool
- Using the YubiKey within Fedora Infrastructure (Soon to be obsoleted by python-yubico and FreeIPA/Krb5 implementation)
Casey Keller
I have the Yubikey 4 and love it for my GPG and GPG/SSH uses. I use it with Lastpass for time based authentification as well. As far as I know you can use the Fido U2F if you have the key setup for smartcard/pgp since they occupy the same slot on the Yubi. I am not sure about the OATH.
I would love to know your experiences with it. Can the same time based slot 1 that I use for Lastpass be used for OATH since my GPG is setup on slot 2 or does something have to go?
Smirnovd
There are several slots, 2 for OTPs (HOTP/TOTP) or HMAC challenge-response, one non-removable, non-resetable FIDO U2F slot, one for GPG (OpenPGP 2.0 card spec compliant, three keys, up to 4096RSA or 384ECC), one PIV compliant slot (several slots for certificates, each having different policy like pin, presence verification) and all of them can be stored simultaneously.
Please note, that while PIV supports parallel access, GPG agent will demand exclusive access to the reader and will prevent PIV mode from working while GPG is active and vise versa.
Casey Keller
Any suggestions on some guides for using all the slots?
Jaša Bartelj
Is there any software support to store filesystem encryption keys on such a device? I imagine there would need to be
bootloader Yubico support for /boot decryption,
kernel Yubico support for / decryption,
userspace driver to provide the LUKS key for mountpoints not containing the driver
Andrew
Anyone considering buying a Yubikey should be aware that the budget model (about $20US) only supports U2F and not the other features described here. Same with the cheaper Hypersecu key.
Brandon
It’s not called a “FIDO U2F Security Key” for nothing.
It doesn’t have “Yubikey” in it’s name for a reason. It’s a Yubico product, but not a Yubikey.
Sami
I think you should note that installing pam_yubico according to the default instructions makes your 2-factor authentication dependent of being connected to the internet and Yubico’s auth servers being up.