{"id":132191,"date":"2023-03-03T08:00:00","date_gmt":"2023-03-03T08:00:00","guid":{"rendered":"https:\/\/fedoramagazine.org\/?p=33856"},"modified":"2023-03-03T08:00:00","modified_gmt":"2023-03-03T08:00:00","slug":"how-to-use-a-yubikey-with-fedora-linux","status":"publish","type":"post","link":"https:\/\/sickgaming.net\/blog\/2023\/03\/03\/how-to-use-a-yubikey-with-fedora-linux\/","title":{"rendered":"How to use a YubiKey with Fedora Linux"},"content":{"rendered":"<p>This article explains how to configure Yubico&#8217;s <a href=\"https:\/\/www.yubico.com\/products\/yubikey-5-overview\/\" target=\"_blank\" rel=\"noreferrer noopener\">YubiKey<\/a>, a <a href=\"https:\/\/en.wikipedia.org\/wiki\/Security_token\" target=\"_blank\" rel=\"noreferrer noopener\">hardware security token<\/a>, and Fedora Linux Workstation for typical use-cases such as logging into GDM, authentication for the <em>sudo<\/em> command, OpenSSH authentication and key management, or as a second-factor on the web.<\/p>\n<p> <span id=\"more-33856\"><\/span> <\/p>\n<h2>Motivation<\/h2>\n<p>In times of sophisticated malware and always-and-everything-on(line), software based storage of credentials becomes at least unsettling. Hardware security tokens are a physical, cryptographically secured storage for secrets. Such a token and its secrets can not be copied by large malware attacks.<\/p>\n<p>Applications and services that have to authenticate your access can use a physical token as a factor of ownership and identification. These tokens require extreme dedication, time and money to forge or maliciously acquire.<\/p>\n<p>Nowadays hardware security tokens are quite versatile and can be used for a variety of interesting things. Use-cases are roughly divided into two categories: convenience and added security. Convenience covers anything from using the hardware token to unlock your LUKS encrypted disk to logging in to your Fedora Workstation with the press of a button. Added security on the other hand covers multi-factor authentication (MFA) scenarios as well as storing private credentials.<\/p>\n<h2>Always setup a backup key<\/h2>\n<p>As soon as you start working with security tokens you have to account for the potential to lock yourself out of accounts tied to these tokens. As hardware security tokens are unique and designed to be extremely hard to copy you can&#8217;t just make a backup of it as with software vaults like Keepass or AndOTP. All registrations you do with a primary key you should do with a second backup key which you store in a secure location like a safe or at least leave at home.<\/p>\n<p>In practice you register both hardware tokens with your linux and web accounts, generate private keys on both keys, and configure their public keys at remote services.<\/p>\n<h2>Security considerations<\/h2>\n<p>Most features of the key can be used either with <em>button press only<\/em> or require <em>entering an additional PIN<\/em>. Keep in mind that <strong>without a PIN<\/strong> YubiKey authentication is only a button press away. This means that presence is required but is also enough. For example if configured to work as an alternative login factor it is enough to be in front of the machine with the key slotted to login.<\/p>\n<h2>YubiKey models and features<\/h2>\n<p>Yubico offers multiple models of the YubiKey with different connectors (USB A\/C, NFC) and supported features. Depending on the model, the device can be used for a variety of things.<\/p>\n<p>With <strong>OTP<\/strong> (One Time Password) you can:<\/p>\n<ul>\n<li>Log into the system via terminal<\/li>\n<li>Log into GDM<\/li>\n<li>Use <em>sudo<\/em><\/li>\n<\/ul>\n<p>The <strong>OATH TOTP<\/strong> (Time-based One-Time Passwords) feature is an alternative to Google Authenticator (or andOTP). <a href=\"https:\/\/developers.yubico.com\/OATH\/\" target=\"_blank\" rel=\"noreferrer noopener\">OATH<\/a> (Open Authorization) is an organization that specifies two open authentication standards: TOTP and HOTP (HMAC- or Hash-based Message Authentication Code One-Time Password).<\/p>\n<p>The <strong>PIV<\/strong> (Personal Identity Verification) module let&#8217;s you:<\/p>\n<ul>\n<li>Store OpenSSL certificates and private keys<\/li>\n<li>Store OpenSSH private keys<\/li>\n<\/ul>\n<p>With <strong>FIDO U2F<\/strong> (Fast IDentity Alliance Universal 2nd Factor) you can use the key as second-factor in web browser authentication flows. The web page, or more specifically the browser, will ask you to insert the key and press the button on login if you configured the key as second-factor. This is an alternative to OTP that does not require you to lookup a 6-digit code in an Authenticator-App.<\/p>\n<p>In the<strong> FIDO2 \/ WebAuthn<\/strong> module you can store ssh public keys or register your smart card as a password-less authentication method at supporting services, as opposed to it being &#8220;just&#8221; a second factor alongside a password. <a href=\"https:\/\/en.wikipedia.org\/wiki\/FIDO2_Project\" target=\"_blank\" rel=\"noreferrer noopener\">FIDO2<\/a> is a combined standard consisting of <a href=\"https:\/\/en.wikipedia.org\/wiki\/WebAuthn\" target=\"_blank\" rel=\"noreferrer noopener\">WebAuthn<\/a> and <a href=\"https:\/\/en.wikipedia.org\/wiki\/Client_to_Authenticator_Protocol\" target=\"_blank\" rel=\"noreferrer noopener\">CTAP2<\/a> (Client to Authenticator Protocol 2).<\/p>\n<p>In general the YubiKey can act as either an alternative or second factor. The difference is that an alternative factor may make the input of another factor like a passphrase obsolete while a second factor is required in addition to, for example, a passphrase or a fingerprint.<\/p>\n<h3>Storage limitations<\/h3>\n<p>For some features, private keys and other secrets are stored on the YubiKey. Each feature has its own storage space and hence maximum number of credential slots:<\/p>\n<ul>\n<li>OTP &#8211; <strong>Unlimited<\/strong>, as only one secret per key is required<\/li>\n<li>FIDO U2F &#8211; <strong>Unlimited<\/strong>, as only one secret per key is required<\/li>\n<li>FIDO2 &#8211; <strong>25<\/strong> credentials \/ identities<\/li>\n<li>OATH &#8211; <strong>32<\/strong> credentials<\/li>\n<li>PIV &#8211; <strong>24<\/strong> X.509 certificates and their respective private keys<\/li>\n<li>OpenPGP &#8211; <strong>3<\/strong> keys; one for encryption, signing and authentication each<\/li>\n<\/ul>\n<h2>Prerequisites<\/h2>\n<p>First, install the management applications to configure the YubiKey. With these you can disable or reconfigure features, set PINs, PUKs, and other management passphrases.<\/p>\n<pre class=\"wp-block-preformatted\">sudo dnf install -y yubikey-manager yubikey-manager-qt<\/pre>\n<p>For <strong>System Authentication<\/strong> install the <em>yubico<\/em> PAM module:<\/p>\n<pre class=\"wp-block-preformatted\">sudo dnf install -y pam_yubico<\/pre>\n<p>The <strong>OpenSSH<\/strong> agent and client support YubiKey without further changes.<\/p>\n<p>For <strong>OATH<\/strong> you need the yubioath-desktop application and\/or a mobile client:<\/p>\n<pre class=\"wp-block-preformatted\">sudo dnf install -y yubioath-desktop<\/pre>\n<h2>Configuration of the YubiKey<\/h2>\n<p>A YubiKey comes pre-configured for Yubico OTP and uses public default PINs for all other modules which you are strongly advised to change. Use either the yubikey-manager CLI or yubikey-manager GUI application to configure the YubiKey.<\/p>\n<p>Select the <strong>Applications<\/strong> button in the YubiKey Manager and a drop-down will appear to navigate to the single module configuration pages. Via the <strong>Interfaces<\/strong> button you open a page full of check-boxes where you can activate\/deactivate single features on a per physical connector basis (e.g., USB C or NFC).<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><a href=\"https:\/\/www.sickgaming.net\/blog\/wp-content\/uploads\/2023\/03\/how-to-use-a-yubikey-with-fedora-linux-8.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"741\" src=\"https:\/\/www.sickgaming.net\/blog\/wp-content\/uploads\/2023\/03\/how-to-use-a-yubikey-with-fedora-linux.png\" alt=\"\" class=\"wp-image-37796\" \/><\/a><figcaption>YubiKey Manager desktop application from the <em>yubikey-manager-qt<\/em> package.<\/figcaption><\/figure>\n<\/div>\n<h3>PIV<\/h3>\n<p>Go to the PIV configuration page and configure PIN and PUK. Their default values are <strong>123456<\/strong> and <strong>12345678<\/strong> respectively. Then set a new management key protected by your previously set pin.<\/p>\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/www.sickgaming.net\/blog\/wp-content\/uploads\/2023\/03\/how-to-use-a-yubikey-with-fedora-linux-13.png\"><img decoding=\"async\" loading=\"lazy\" width=\"1024\" height=\"741\" src=\"https:\/\/www.sickgaming.net\/blog\/wp-content\/uploads\/2023\/03\/how-to-use-a-yubikey-with-fedora-linux-1.png\" alt=\"\" class=\"wp-image-37795\" \/><\/a><figcaption>The PIV configuration page from the YubiKey Manager GUI<\/figcaption><\/figure>\n<p>Using the CLI tool change the default PIN like so:<\/p>\n<pre class=\"wp-block-preformatted\"><strong>$ ykman piv access change-pin<\/strong>\nEnter the current PIN: <strong>123456<\/strong>\nEnter the new PIN: <strong>********<\/strong>\nRepeat for confirmation: <strong>********<\/strong>\nNew PIN set.<\/pre>\n<p>Change the default PUK:<\/p>\n<pre class=\"wp-block-preformatted\"><strong>$ ykman piv access change-puk<\/strong>\nEnter the current PUK: <strong>12345678<\/strong>\nEnter the new PUK: <strong>********<\/strong>\nRepeat for confirmation: <strong>********<\/strong>\nNew PUK set.<\/pre>\n<p>Generate a new random management key, protect it with our previously set PIN, and replace the default key:<\/p>\n<pre class=\"wp-block-preformatted\"><strong>$ ykman piv access change-management-key --generate --protect<\/strong>\nEnter the current management key [blank to use default key]:\nEnter PIN: <strong>********<\/strong><\/pre>\n<h3>FIDO2<\/h3>\n<p>Go to the FIDO2 page and set a pin.<\/p>\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/www.sickgaming.net\/blog\/wp-content\/uploads\/2023\/03\/how-to-use-a-yubikey-with-fedora-linux-18.png\"><img decoding=\"async\" loading=\"lazy\" width=\"1024\" height=\"741\" src=\"https:\/\/www.sickgaming.net\/blog\/wp-content\/uploads\/2023\/03\/how-to-use-a-yubikey-with-fedora-linux-2.png\" alt=\"\" class=\"wp-image-37794\" \/><\/a><figcaption>The FIDO2 configuration page from the Yubikey Manager GUI<\/figcaption><\/figure>\n<p>Set the FIDO2 pin on a terminal like this:<\/p>\n<pre class=\"wp-block-preformatted\"><strong>$ ykman fido access change-pin<\/strong>\nEnter the current PIN: <strong>123456<\/strong>\nEnter the new PIN: <strong>********<\/strong>\nRepeat for confirmation: <strong>********<\/strong>\nNew PIN set.<\/pre>\n<h3>OTP<\/h3>\n<p>The OTP feature is configured out-of-the-box. There is nothing to do here except to configure Slot 2 if you like. Slot 1 is used for challenge-response by default. Slot 2, however, is empty at first. You can configure it to output a static key of your liking on a long touch of the YubiKey&#8217;s button (approximately 2.5 seconds).<\/p>\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/www.sickgaming.net\/blog\/wp-content\/uploads\/2023\/03\/how-to-use-a-yubikey-with-fedora-linux-23.png\"><img decoding=\"async\" loading=\"lazy\" width=\"1024\" height=\"741\" src=\"https:\/\/www.sickgaming.net\/blog\/wp-content\/uploads\/2023\/03\/how-to-use-a-yubikey-with-fedora-linux-3.png\" alt=\"\" class=\"wp-image-37793\" \/><\/a><figcaption>The OTP configuration page from the Yubikey Manager GUI<\/figcaption><\/figure>\n<p>If you like, set the second slot from a terminal via <strong>ykman otp static<\/strong> like this:<\/p>\n<pre class=\"wp-block-preformatted\">ykman otp static --keyboard-layout US 2 u25bohg87bmtj247ts725v5f<\/pre>\n<h3>OATH<\/h3>\n<p>Use the OATH module to store TOTP codes. By default, this module does not have a passphrase. But you can assign one. Without a passphrase you can query all stored credentials and get TOTP codes without additional authentication.<\/p>\n<p>The GUI does not have the means to change the passphrase so the CLI is required.<\/p>\n<pre class=\"wp-block-preformatted\">ykman oath access change<\/pre>\n<p>You can configure your device to remember the YubiKey so you only have to enter the passphrase once.<\/p>\n<pre class=\"wp-block-preformatted\">ykman oath access remember<\/pre>\n<p>In the same way, let your device forget the YubiKey OATH credential.<\/p>\n<pre class=\"wp-block-preformatted\">ykman oath access forget<\/pre>\n<h2>Local (PAM) authentication via OTP<\/h2>\n<p>Add the YubiKey to local system authentication through <a href=\"https:\/\/www.redhat.com\/sysadmin\/pluggable-authentication-modules-pam\" target=\"_blank\" rel=\"noreferrer noopener\">PAM<\/a> (Pluggable Authentication Modules). You can either do this using the default online or an alternative offline method. The online method uses the Yubico servers to validate the OTP tokens and thus requires an online connection while the offline method uses challenge-response.<\/p>\n<h3>Create base configuration files<\/h3>\n<p>Create two base configuration files using the <em>pam_yubico<\/em> module. One which instructs PAM to consider the YubiKey an <strong>alternative<\/strong> factor and one so PAM requires the key as an <strong>additional<\/strong> factor.<\/p>\n<p>For the <strong>online<\/strong> YubiCloud method use the appropriate command shown here:<\/p>\n<pre class=\"wp-block-preformatted\">\/etc\/pam.d\/yubikey-required\n#%PAM-1.0\nauth required pam_yubico.so id=[Your API Client ID] key=[Your API Client Key] \/etc\/pam.d\/yubikey-sufficient\n#%PAM-1.0\nauth sufficient pam_yubico.so id=[Your API Client ID] key=[Your API Client Key]<\/pre>\n<p>You need to register your YubiKey at YubiCloud and <a href=\"https:\/\/upgrade.yubico.com\/getapikey\" target=\"_blank\" rel=\"noreferrer noopener\">obtain an API key<\/a>. The module will work without an API key but then the client will not verify OpenSSL certificates and be susceptible to MitM (Man in the Middle) Attacks.<\/p>\n<p class=\"has-pale-pink-background-color has-background\"><strong>Note<\/strong>: This authentication method will not work if your device is offline or it cannot connect to the YubiCloud.<\/p>\n<p>For <strong>offline<\/strong> challenge-response use the appropriate command shown here:<\/p>\n<pre class=\"wp-block-preformatted\">\/etc\/pam.d\/yubikey-required\n#%PAM-1.0\nauth required pam_yubico.so mode=challenge-response \/etc\/pam.d\/yubikey-sufficient\n#%PAM-1.0\nauth sufficient pam_yubico.so mode=challenge-response<\/pre>\n<h3>Register your YubiKey with your local account<\/h3>\n<p>After the base configuration files are setup nothing has really changed &#8212; yet. It is advised that you now register your YubiKey(s) with the respective user accounts on your machines before changing the active PAM configuration of your systems.<\/p>\n<p><strong>If you use the online YubiCloud method<\/strong> you need the ID of your YubiKey. To find this just enter the key and retrieve an OTP code with a short press on the button and extract the first 12 characters &#8211; this is your key ID:<\/p>\n<pre class=\"wp-block-preformatted\">cccccbcgebif | bclbtjihhbfbduejkuhgvhkehnicrfdj<\/pre>\n<p>Next create a configuration file in <em>~\/.yubico\/authorized_yubikeys<\/em> and add all authorized key IDs after your username separated by colons:<\/p>\n<pre class=\"wp-block-preformatted\">fedora-user:cccccbcgebif[:&lt;another-key-id&gt;]<\/pre>\n<p><strong>If you go for the offline challenge-response method<\/strong>, you need at least one slot configured for challenge-response. Let&#8217;s assume Slot 1 is used in its default configuration with YubiCloud OTP for other things. So configure the 2nd slot for challenge-response:<\/p>\n<pre class=\"wp-block-preformatted\">ykman otp chalresp --generate --touch 2<\/pre>\n<p>Now register a connected YubiKey with your user account via challenge-response:<\/p>\n<pre class=\"wp-block-preformatted\">ykpamcfg -2<\/pre>\n<p>This creates a file in <em>~\/.yubico\/challenge-&lt;key-serial&gt;<\/em> that contains a challenge response configuration for the key.<\/p>\n<h3>Choose PAM configuration<\/h3>\n<p>Now choose the PAM modules to consider the YubiKey and then <em>include<\/em> the respective configuration file, either <strong>before<\/strong> or <strong>after<\/strong> the <em>system-auth<\/em> import depending on whether <strong>sufficient<\/strong> or <strong>required<\/strong> is what you want:<\/p>\n<ul>\n<li><em>\/etc\/pam.d\/login<\/em> &#8211; For console logins<\/li>\n<li><em>\/etc\/pam.d\/sudo<\/em> &#8211; For sudo authentication<\/li>\n<li><em>\/etc\/pam.d\/gdm-password<\/em> &#8211; For GNOME authentication<\/li>\n<li><em>\/etc\/pam.d\/ssh<\/em> &#8211; SSH authentication against a local OpenSSH <em>Server<\/em><\/li>\n<\/ul>\n<p>For YubiKey as <strong>additional \/ required<\/strong> factor:<\/p>\n<pre class=\"wp-block-preformatted\">auth include system-auth\n...\nauth include yubikey-required<\/pre>\n<p>For YubiKey as <strong>alternative \/ sufficient<\/strong> factor:<\/p>\n<pre class=\"wp-block-preformatted\">auth include yubikey-sufficient\n...\nauth include system-auth<\/pre>\n<p class=\"has-pale-pink-background-color has-background\"><strong>Note<\/strong>: If you add the YubiKey as a factor in sudo authentication, make certain to have a root shell open and test it thoroughly in another shell. Otherwise you could lose the ability to use sudo.<\/p>\n<h3>Lock the system on YubiKey removal<\/h3>\n<p>Wouldn&#8217;t it be cool to lock your Gnome session when removing the YubiKey? If that behavior fits your style just add a script which does just that and let <em>udev<\/em> trigger it.<\/p>\n<p>Create an <em>udev<\/em> rule to catch the device detach event with a shell script. The model ID in this example might differ so please check your <em>lsusb<\/em> output to confirm it. Save the following <em>udev<\/em> rule into <em>\/etc\/udev\/rules.d\/20-yubikey.rules<\/em>:<\/p>\n<pre class=\"wp-block-preformatted\">ACTION==\"remove\", ENV{ID_BUS}==\"usb\", ENV{ID_MODEL_ID}==\"<strong><span class=\"has-inline-color has-vivid-red-color\">0407<\/span><\/strong>\", ENV{ID_VENDOR_ID}==\"<strong><span class=\"has-inline-color has-vivid-red-color\">1050<\/span><\/strong>\", RUN+=\"\/usr\/local\/bin\/lockscreen.sh\"<\/pre>\n<p>Add the following script to the <em>\/usr\/local\/bin\/lockscreen.sh<\/em> file:<\/p>\n<pre class=\"wp-block-preformatted\">#!\/bin\/sh\n#Author: https:\/\/gist.github.com\/jhass\/070207e9d22b314d9992 for bus in \/run\/user\/*\/bus; do uid=$(basename $(dirname $bus)) if [ $uid -ge 1000 ]; then user=$(id -un $uid) export DBUS_SESSION_BUS_ADDRESS=unix:path=$bus if su -c 'dbus-send --session --dest=org.freedesktop.DBus --type=method_call --print-reply \/org\/freedesktop\/DBus org.freedesktop.DBus.ListNames' $user | grep org.gnome.ScreenSaver; then su -c 'dbus-send --session --type=method_call --dest=org.gnome.ScreenSaver \/org\/gnome\/ScreenSaver org.gnome.ScreenSaver.Lock' $user fi fi done<\/pre>\n<p>Add execution permission to this script and reload <em>udev<\/em>:<\/p>\n<pre class=\"wp-block-preformatted\">$ sudo chmod +x \/usr\/local\/bin\/lockscreen.sh\n$ sudo udevadm control -R<\/pre>\n<h2>OpenSSH with PIV and FIDO2<\/h2>\n<p>Your YubiKey can store OpenSSH private keys in the PIV module, generate public keys from them, and require PIN and touch of the YubiKey button upon use.<\/p>\n<p>Generate a private key (e.g. ED25519) with touch and pin requirement in the <strong>9a<\/strong> <a href=\"https:\/\/docs.yubico.com\/yesdk\/users-manual\/application-piv\/slots.html\" target=\"_blank\" rel=\"noreferrer noopener\">slot<\/a>:<\/p>\n<pre class=\"wp-block-preformatted\"><strong>$ ykman piv keys generate --algorithm ED25519 --pin-policy ONCE --touch-policy ALWAYS 9a public.pem<\/strong>\nEnter PIN: <strong>********<\/strong><\/pre>\n<p>The slot 9A is for &#8220;PIV Authentication&#8221;.<\/p>\n<p>Create a self-signed certificate for that key. The only use for the X.509 certificate is to satisfy PIV\/PKCS #11 lib. It is needed to extract the public key from the smart card.<\/p>\n<pre class=\"wp-block-preformatted\">$ <strong>ykman piv certificates generate --subject \"CN=OpenSSH\" --hash-algorithm SHA384 9a pubkey.pem<\/strong>\nEnter PIN: <strong>********<\/strong>\nTouch your YubiKey\u2026<\/pre>\n<p>Use OpenSSH <strong>ssh-keygen<\/strong> to generate a public key you can later use in <strong>authorized_keys<\/strong> files on remote systems. The following generates such a key directly on the YubiKey in a FIDO2 slot, making it portable.<\/p>\n<pre class=\"wp-block-preformatted\">ssh-keygen -t ed25519-sk -O resident -O application=ssh:fedora -O verify-required<\/pre>\n<p>The <strong>resident<\/strong> option instructs ssh-keygen to store the key handle on the YubiKey, making it easier to use the key across multiple systems as <strong>ssh-add<\/strong> can load and use the ssh keys from the YubiKey directly. The <strong>application<\/strong> option assigns a designated name for the this specific private-public-key-pair and is useful if working with different ssh identities. The <strong>verify-required<\/strong> option is mandatory for <strong>resident<\/strong> keys and adds requirement to enter a pin on key usage.<\/p>\n<p>If the key is generated with a touch requirement, only omit the <strong>verify-required<\/strong> option. If you don&#8217;t want to use <strong>FIDO2<\/strong> slots, omit the <strong>resident<\/strong> and <strong>application<\/strong> options and make sure to backup generated public keys.<\/p>\n<h3>Caching OpenSSH connections<\/h3>\n<p>In the OpenSSH default configuration, every time you connect to a machine via <em>ssh<\/em> you&#8217;ll be prompted to touch your key. To let your OpenSSH client cache connections even after you close the session and thus no longer need to touch the key again, add the following option to your <em>~\/.ssh\/config<\/em>:<\/p>\n<pre class=\"wp-block-preformatted\">Host * ControlMaster auto ControlPath ~\/.ssh\/S.%r@%h:%p ControlPersist 5m<\/pre>\n<h3>Introspection<\/h3>\n<p>Get information on the <strong>PIV<\/strong> slot <strong>9a<\/strong>:<\/p>\n<pre class=\"wp-block-preformatted\"><strong>$ ykman piv info<\/strong>\nPIV version: 5.4.3\nPIN tries remaining: 3\/3\nManagement key algorithm: TDES\nCHUID:\tREDACTED\nCCC: No data available.\nSlot 9a: Algorithm:\tRSA2048 Subject DN:\tCN=SSH key Issuer DN:\tCN=SSH key Serial: REDACTED Fingerprint: REDACTED Not before:\t2022-01-01 20:00:00 Not after:\t2023-01-01 20:00:00<\/pre>\n<p>List stored <strong>FIDO2<\/strong> public keys with:<\/p>\n<pre class=\"wp-block-preformatted\"><strong>$ ykman fido credentials list<\/strong>\nssh:fedora 0000000000000000000000000000000000000000000000000000000000000000 openssh<\/pre>\n<h2>Authenticating in the web<\/h2>\n<p><strong>YubiKey Authenticator<\/strong> is a TOTP application for Desktop and Android and is similar to <strong>Google Authenticator<\/strong> and <strong>AndOTP<\/strong>. However, it uses the YubiKey as storage device. Either scan a QR code or enter the secret directly, choose a name and that&#8217;s it. Just keep in mind that the storage on a YubiKey is limited to 32 TOTP codes.<\/p>\n<p>Since the TOTP codes are stored on the YubiKey they are portable and you may access them e.g. via USB C on desktop or via NFC on the android application.<\/p>\n<p>Use the <em>yubikey-manager<\/em> to add a TOTP credential:<\/p>\n<pre class=\"wp-block-preformatted\">ykman oath accounts add fedora &lt;TOTP secret&gt;<\/pre>\n<p>Then retrieve a TOTP code with:<\/p>\n<pre class=\"wp-block-preformatted\">ykman oath accounts code fedora<\/pre>\n<h3>WebAuthn and U2F as alternative<\/h3>\n<p>WebAuthn and U2F are modern alternatives to TOTP which just requests the presence of your key and a button press through your browser of preference. If previously registered at the web service in question, you can use it as a far more convenient factor than TOTP codes.<\/p>\n<p>This feature is supported at least in <strong>Firefox<\/strong> but not in <strong>Gnome Web<\/strong>.<\/p>\n<p>The difference between FIDO U2F and FIDO2 WebAuthn is that the latter stores an identity in the keys storage and thus the application or service can extract the user identity and authentication from the key without the need of an identity server.<\/p>\n<h2>Other use cases<\/h2>\n<p>There are more use cases not covered in this article which might be worth revisiting at some point. These Include but are not limited to:<\/p>\n<ul>\n<li>OpenPGP to encrypt, sign or authenticate<\/li>\n<li>x509 certificate management for <strong>P<\/strong>ublic <strong>K<\/strong>ey <strong>I<\/strong>nfrastructure<\/li>\n<li>LUKS disk decryption<\/li>\n<\/ul>\n<p>What other use-cases do you have in mind? Let us know in the comments.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This article explains how to configure Yubico&#8217;s YubiKey, a hardware security token, and Fedora Linux Workstation for typical use-cases such as logging into GDM, authentication for the sudo command, OpenSSH authentication and key management, or as a second-factor on the web. Motivation In times of sophisticated malware and always-and-everything-on(line), software based storage of credentials becomes [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":132192,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[48],"tags":[606,45,46,47,372],"class_list":["post-132191","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-fedora-os","tag-faqs-and-guides","tag-fedora","tag-magazine","tag-news","tag-yubikey"],"_links":{"self":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts\/132191","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/comments?post=132191"}],"version-history":[{"count":0,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts\/132191\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/media\/132192"}],"wp:attachment":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/media?parent=132191"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/categories?post=132191"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/tags?post=132191"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}