Using the YubiKey4 with Fedora

A YubiKey is a hardware authentication device that can be used for various one-time password (OTP) and authentication methods. This article explains some of the ways to use the the YubiKey4 with Fedora. Other versions may be incompatible or require additional configuration.

What is a YubiKey?

From the Yubico site: “A YubiKey is a small device that you register with a service or site that supports two-factor authentication. Two-factor authentication means that each time you log in, the service will request proof that you have your YubiKey in addition to your regular username and password. Phishing, malware, and other attack methods don’t work because they would need both your physical key and your passwords to breach your accounts.”

Two-factor authentication with the Yubico Authenticator tool

The Yubico Authenticator tool lets you generate OATH one-time password codes with your YubiKey. It can store up to 32 OATH event-based HOTP and time-based TOTP credentials on the device itself, which makes it easy to use across multiple computers. The software is freely available in Fedora in the `

yubioath-desktop`

package, and also provides a

yubioath-cli

command-line tool. If you desire the gui version after install invoke yubioath-gui.

Using the Yubico Authenticator for two-factor authentication

Using the Yubico Authenticator for two-factor authentication with the YubiKey

GPG smartcard for SSH authentication

The YubiKey4 contains an OpenPGP smartcard applet, which lets you import and GPG keys on the hardware. You can also use these keys for SSH authentication to remote machines with the `

gpg-agent`

. This allows you to use GPG and SSH without storing any private keys on your computer at all.

You’ll first want to go through the “Importing Keys” instructions for setting up your GPG keys. Then there is a great guide created by a number of Fedora contributors for configuring GPG and GNOME to use your YubiKey as a GPG smartcard for SSH authentication.

FIDO Universal 2nd Factor

U2F is an open authentication standard that enables internet users to securely access any number of online services, with one single device, instantly and with no drivers or client software needed.

Fedora ships the `

<a href="https://apps.fedoraproject.org/packages/pam-u2f">pam-u2f</a>`

package which provides an easy way to integrate the Yubikey (or other U2F-compliant authenticators) into your existing user authentication infrastructure.

Authentication with PAM

You can use your YubiKey to log in to your Fedora machines by configuring PAM with the pam_yubico module. There are detailed instructions for how to do this on the Fedora Wiki.

Other resources

For System Administrators Using Hardware

7 Comments

  1. Casey Keller

    I have the Yubikey 4 and love it for my GPG and GPG/SSH uses. I use it with Lastpass for time based authentification as well. As far as I know you can use the Fido U2F if you have the key setup for smartcard/pgp since they occupy the same slot on the Yubi. I am not sure about the OATH.

    I would love to know your experiences with it. Can the same time based slot 1 that I use for Lastpass be used for OATH since my GPG is setup on slot 2 or does something have to go?

    • Smirnovd

      There are several slots, 2 for OTPs (HOTP/TOTP) or HMAC challenge-response, one non-removable, non-resetable FIDO U2F slot, one for GPG (OpenPGP 2.0 card spec compliant, three keys, up to 4096RSA or 384ECC), one PIV compliant slot (several slots for certificates, each having different policy like pin, presence verification) and all of them can be stored simultaneously.

      Please note, that while PIV supports parallel access, GPG agent will demand exclusive access to the reader and will prevent PIV mode from working while GPG is active and vise versa.

      • Casey Keller

        Any suggestions on some guides for using all the slots?

  2. Jaša Bartelj

    Is there any software support to store filesystem encryption keys on such a device? I imagine there would need to be

    bootloader Yubico support for /boot decryption,
    kernel Yubico support for / decryption,
    userspace driver to provide the LUKS key for mountpoints not containing the driver

  3. Andrew

    Anyone considering buying a Yubikey should be aware that the budget model (about $20US) only supports U2F and not the other features described here. Same with the cheaper Hypersecu key.

    • Brandon

      It’s not called a “FIDO U2F Security Key” for nothing.

      It doesn’t have “Yubikey” in it’s name for a reason. It’s a Yubico product, but not a Yubikey.

  4. Sami

    I think you should note that installing pam_yubico according to the default instructions makes your 2-factor authentication dependent of being connected to the internet and Yubico’s auth servers being up.

Comments are Closed

The opinions expressed on this website are those of each author, not of the author's employer or of Red Hat. Fedora Magazine aspires to publish all content under a Creative Commons license but may not be able to do so in all cases. You are responsible for ensuring that you have the necessary permission to reuse any work on this site. The Fedora logo is a trademark of Red Hat, Inc. Terms and Conditions

%d bloggers like this: