Now Reading
a configuration cheatsheet · Hello, I am kmille

a configuration cheatsheet · Hello, I am kmille

2023-03-10 02:04:36

This submit reveals totally different use instances for a Yubikey. There are additionally command line examples in a cheatsheet like method. I’m utilizing a Yubikey 5C on Arch Linux. When you run into points, attempt to use a more moderen model of ykman (a part of yubikey-manager package deal on Arch).

kmille@linbox:~ ykman --version
YubiKey Supervisor (ykman) model: 4.0.9

Some options rely on the firmware model of the Yubikey. The tooling (just like the wording) across the Yubikey is usually a bit complicated. I exploit this information as a reference if I must reconfigure one thing after a very long time. It helped me up to now, so I made a clear rewrite. I hope it helps you too. Please get involved with me if one thing is fallacious/lacking (Hacker News discussion).

To examine in case your Yubikey was detected efficiently and discover out which modes are enabled, use:

kmille@linbox:~ ykman listing
YubiKey 5 NFC (5.1.2) [OTP+FIDO+CCID] Serial: 1312

kmille@linbox:yubikey ykman information
Machine kind: YubiKey 5 NFC
Serial quantity: 1312
Firmware model: 5.1.2
Type issue: Keychain (USB-A)
Enabled USB interfaces: OTP, FIDO, CCID
NFC transport is enabled.

Purposes    USB             NFC
FIDO2           Enabled         Enabled
OTP             Enabled         Enabled
FIDO U2F        Enabled         Enabled
OATH            Enabled         Enabled
YubiHSM Auth    Not out there   Not out there
OpenPGP         Enabled         Enabled
PIV             Enabled         Enabled

ykman config nfc --disable PIV
ykman config usb --enable-all

Generally, TOTP (time based mostly one time password) is used for 2FA (two-factor authentication). It provides you a 6 (generally 8) digit token you must enter throughout login. The key key’s formatted in base32 (e. g. H7TTOPOIDLOXGT4E). You may add 32 of those secrets and techniques to a Yubikey machine. When you favor a GUI software, you should utilize Yubico Authenticator (a part of the yubioath-desktop package deal). Yubico Authenticator doesn’t retailer the key, it asks the Yubikey machine for the token. There’s additionally the Yubico Authenticator with NFC assist for Android.


Command line tooling with ykman:

kmille@linbox:~ ykman oath accounts add check --touch
Enter a secret key (base32): H7TTOPOIDLOXGT4E
kmille@linbox:~ ykman oath accounts listing
check

kmille@linbox:~ ykman oath accounts code
Contact your YubiKey...
check  629211

kmille@linbox:~ ykman oath accounts code -s Hetzner
Contact your YubiKey...
940658

kmille@linbox:~ ykman oath accounts delete check
Delete account: check ? [y/N]: y
Deleted check.

kmille@linbox:~ ykman oath accounts listing
kmille@linbox:~

It’s essential to backup the key. In case your Yubikey is misplaced, you possibly can nonetheless login by including the key to different instruments just like the Google Authenticator or through the use of a few strains of python code. KeepassXC additionally has a neat characteristic for TOTP. However please don’t reserve it in the identical Keepass database you utilize every day.

import time
import pyotp

otp = pyotp.totp.TOTP("H7TTOPOIDLOXGT4E")
whereas 1:
    print(otp.now())
    time.sleep(2)

This prints the 6-digit token each two seconds (wants pip set up --user pyotp).

Typically U2F can also be referred to as FIDO2 or WebAuthn. Like TOTP tokens, U2F can be utilized throughout net logins for two-factor authentication. The TOTP variant is liable to phishing assaults, as customers enter their tokens additionally on phishing websites. U2F solves this drawback through the use of a problem response mechanism that features the SSL Channel ID and the browser url of the login web page (docs). When you use U2F, the browser speaks on to the Yubikey machine, no particular drivers or instruments are needed. All main browsers support U2F. On Arch Linux, you must set up the libfido2 package deal. When you use Firejail sandbox, you might want to set browser-disable-u2f no in /and so on/firejail/firejail.config.

U2F could be very simple to make use of. Throughout setup, you pair a web-based account with a Yubikey machine. Throughout login, you solely have to the touch the Yubikey. Watch this demo on Youtube to get a sense for it. You may check U2F on the Yubico demo website. It’s additionally very good to apply it to Android with NFC.

Backup technique: You may’t make a backup as you don’t have a secret you possibly can backup. So you must add a number of U2F gadgets to your account or add TOTP as further 2FA technique. A backup may also be your IT division, in the event that they can provide you entry once more. Google deployed U2F to their 50,000 employees.

SSH with FIDO2 (U2F)