[et_pb_section fb_built=”1″ _builder_version=”4.21.0″ _module_preset=”default” global_colors_info=”{}”][et_pb_row _builder_version=”4.21.0″ _module_preset=”default” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.21.0″ _module_preset=”default” global_colors_info=”{}”][et_pb_text _builder_version=”4.21.0″ _module_preset=”default” text_font=”Roboto||||||||” text_font_size=”20px” text_line_height=”1.8em” background_color=”#efefef” module_alignment=”center” custom_padding=”2%|4%|2%|4%|true|true” global_colors_info=”{}”]<\/p>\n
YubiKey hardware security keys make your system more secure. And the procedure of logging into accounts is faster and more convenient. Follow the instructions below to easily add the required settings on your Linux system.<\/span><\/p>\n [\/et_pb_text][et_pb_text _builder_version=”4.21.0″ _module_preset=”default” text_font_size=”16px” global_colors_info=”{}”]<\/p>\n Setting up the YubiKey in Linux is quite different from setting up in other OSes, for example in <\/span>Windows<\/span><\/a>. First, you will need to perform operations through the terminal, not through the user interface. Secondly, you will need to make not one, but a number of settings so that hackers cannot bypass certain restrictions, while you do not block access to the system yourself. The following actions are meant:<\/span><\/p>\n If you know English well, you can watch<\/span> this video<\/span><\/a>, it is about setting up using HMAC-SHA1 protocol. If you’re more comfortable with a text format, check out the text version of the instructions below. <\/span><\/p>\n If you plan to use Security Key or YubiKey Bio series keys, please refer to the instructions for configuring keys<\/span><\/i> using the U2F function<\/span><\/i><\/a>.<\/span><\/i><\/p>\n Depending on how you want to configure your system (via HMAC-SHA1 or U2F) you will need to select compatible keys. Series 5 or FIPS keys are suitable for login without a password or two-factor authentication. But the Bio or Security Key series can only be used for U2F. <\/span><\/p>\n There are several ways to install Yubico software on Linux:<\/span><\/p>\n More information in the article: \u201c<\/span>How to install Yubico software on Linux<\/span><\/a>\u201d.<\/span><\/p>\n Consider setting up a YubiKey on an Ubuntu system using the HMAC-SHA1 challenge-response function. Based on this example, you will be able to make similar settings in systems similar to Ubuntu.<\/span><\/p>\n In order not to lose access to your personal device in case you lose the key, we recommend adding a spare hardware device. To do this, you will need to repeat the same operations as when adding the first key. If you don’t have a spare key yet, you can come back to this step later.<\/span><\/p>\n To set up an additional level of security, <\/b>you<\/span> need to move the file <\/span>challenge-<SERIAL><\/b> to an OS directory where you will need to get sudo permission to edit the file (eg <\/span>\/etc<\/span>). To do this, follow these steps:<\/span><\/p>\n After the file <\/span>challenge-<SERIAL><\/b> will be moved to a safe location, the PAM file will also need to be modified for it to work correctly. To do this, you will need to add to the configuration of the PAM file “<\/span> Note that<\/b>after performing these steps, you will not be able to modify the file if you lose the key. This can lead to blocking of access. So we don’t recommend doing this step without adding a backup security key.<\/span><\/p>\n In this section, we’ll look at how to configure keys using sudo commands without locking yourself out. We will also consider how to fix the system in case of errors. <\/span><\/p>\n If you’re having trouble logging in, you can turn on the debugging system to find the cause. To do this, launch Terminal and specify: <\/span> After that, all the events will be saved in the debug log, and you can find the error and fix it. If you don’t need the debug log, you can disable it by removing the line \u201c<\/span>debug debug_file=\/var\/log\/pam_yubico.log\u201d<\/span> from the files pam. <\/span> <\/p>\n Let’s wonder how to set up the system to vimagati the key when using the sudo command (this command helps to take away the privileges of the super-coordinator) and not to block yourself.<\/span><\/p>\n <\/p>\n\n
Compatible keys<\/b><\/h2>\n
\nWays to install Yubico software<\/b><\/h2>\n
\n\n
Configuring the YubiKey security key<\/b><\/h2>\n
\n\n
sudo apt install libpam-yubico yubikey-manager<\/code><\/span>. <\/span> <\/li>\nykman otp chalresp -g 2<\/code><\/span>.<\/span><\/li>\nykpamcfg -2<\/code><\/span>. After that, you should receive confirmation from the system in the format: <\/span>\u00ab\u0417\u0431\u0435\u0440\u0435\u0436\u0435\u043d\u0438\u0439 \u043f\u043e\u0447\u0430\u0442\u043a\u043e\u0432\u0438\u0439 \u0432\u0438\u043a\u043b\u0438\u043a\u00bb, \u00ab\/home\/<USER>\/.yubico\/challenge-<SERIAL>\u00bb<\/code><\/span>. where in place <\/span><USER> <\/code><\/span>will be your username, and instead <\/span><SERIAL><\/code> <\/span>\u2014 the serial number of the YubiKey. If the file does not run, go to \u201c<\/span>Troubleshoot<\/span><\/a>\u201d.<\/span><\/li>\n<\/ol>\n\n
sudo mv ~\/.yubico\/challenge-<SERIAL> \/etc\/yubico\/`whoami`-<SERIAL><\/code><\/span>.<\/span><\/li>\n<\/ul>\nchalresp_path=\/etc\/yubico<\/code><\/span>” at the end.<\/span><\/p>\nConfiguring the system to use security keys<\/b><\/h2>\n
\nThe debug log<\/b><\/h3>\n
sudo touch \/var\/log\/pam_yubico.log<\/code><\/span>. Next, find the line <\/span>pam_yubico.so<\/strong> and add at the end: \u201c<\/span>debug debug_file=\/var\/log\/pam_yubico.log\u201d<\/code><\/span>. <\/span><\/p>\nThe sudo Command<\/b><\/h3>\n
\n
#this will require password + YubiKey for Login<\/span><\/code><\/p>\nsudo nano \/etc\/pam.d\/yubico-required<\/span><\/code><\/p>\nauth required pam_yubico.so mode=challenge-response debug debug_file=\/var\/log\/pam_yubico.log<\/span><\/code><\/p>\n#This will only require YubiKey for Login<\/span><\/code><\/p>\nsudo nano \/etc\/pam.d\/yubico-sufficient<\/span><\/code><\/p>\nauth sufficient pam_yubico.so mode=challenge-response debug debug_file=\/var\/log\/pam_yubico.log<\/span><\/code><\/p>\n\n
sudo nano \/etc\/pam.d\/sudo <\/span><\/code><\/p>\n#for password + YubiKey<\/span><\/code><\/p>\nAdd the line below the \u201c@include common-auth\u201d line. <\/span><\/code><\/p>\n@include yubico-required<\/span><\/code><\/p>\n#for YubiKey only <\/span><\/code><\/p>\nAdd the line above the \u201c@include common-auth\u201d line. <\/span><\/code><\/p>\n@include yubico-sufficient<\/span><\/code><\/p>\n\n
sudo echo test<\/code><\/span>. <\/span> <\/li>\n\n
\n
Configuring the system for a remote key when entering the system<\/b><\/h3>\n
\n
sudo nano \/etc\/pam.d\/gdm-password<\/code><\/span>. You should receive an answer:<\/span><\/li>\n<\/ol>\n#for Password + YubiKey<\/span><\/code><\/p>\nAdd the line below the \u201c@include common-auth\u201d line. <\/span><\/code><\/p>\n@include yubico-required<\/span><\/code><\/p>\n#for YubiKey only <\/span><\/code><\/p>\nAdd the line above the \u201c@include common-auth\u201d line. <\/span><\/code><\/p>\n@include yubico-sufficient<\/span><\/code><\/p>\n\n