A YubiKey is a hardware authentication device that can be used for various one-time password (OTP) and authentication methods. This article explains some of the ways to use the the YubiKey4 with Fedora. Other versions may be incompatible or require additional configuration.

What is a YubiKey?

From the Yubico site: “A YubiKey is a small device that you register with a service or site that supports two-factor authentication. Two-factor authentication means that each time you log in, the service will request proof that you have your YubiKey in addition to your regular username and password. Phishing, malware, and other attack methods don’t work because they would need both your physical key and your passwords to breach your accounts.”

Two-factor authentication with the Yubico Authenticator tool

The Yubico Authenticator tool lets you generate OATH one-time password codes with your YubiKey. It can store up to 32 OATH event-based HOTP and time-based TOTP credentials on the device itself, which makes it easy to use across multiple computers. The software is freely available in Fedora in the `yubioath-desktop` package, and also provides a yubioath-cli command-line tool. If you desire the gui version after install invoke yubioath-gui.

Using the Yubico Authenticator for two-factor authentication

Using the Yubico Authenticator for two-factor authentication with the YubiKey

GPG smartcard for SSH authentication

The YubiKey4 contains an OpenPGP smartcard applet, which lets you import and GPG keys on the hardware. You can also use these keys for SSH authentication to remote machines with the `gpg-agent`. This allows you to use GPG and SSH without storing any private keys on your computer at all.

You’ll first want to go through the “Importing Keys” instructions for setting up your GPG keys. Then there is a great guide created by a number of Fedora contributors for configuring GPG and GNOME to use your YubiKey as a GPG smartcard for SSH authentication.

FIDO Universal 2nd Factor

U2F is an open authentication standard that enables internet users to securely access any number of online services, with one single device, instantly and with no drivers or client software needed.

Fedora ships the `pam-u2f` package which provides an easy way to integrate the Yubikey (or other U2F-compliant authenticators) into your existing user authentication infrastructure.

Authentication with PAM

You can use your YubiKey to log in to your Fedora machines by configuring PAM with the pam_yubico module. There are detailed instructions for how to do this on the Fedora Wiki.

Other resources