Setting up the YubiKey on Ubuntu

I’ve recently had a chance to check out some newer YubiKeys, and decided to make a video on it. In this video, I’ll show you how to set up the YubiKey on Linux, with examples that include setting it up on your local laptop/desktop as well as using it to secure OpenSSH to a remote server.

YouTube player

Using the YubiKey to protect local authentication

Make sure up to date

 sudo apt update && sudo apt dist-upgrade

Install the required PAM package

sudo apt install libpam-u2f

Create a directory to store the configuration

 mkdir -p ~/.config/Yubico

Associate the yubikey

pamu2fcfg > ~/.config/Yubico/u2f_keys

Enable the YubiKey for sudo

Open the sudo config file for PAM in an editor:

sudo nano /etc/pam.d/sudo

Underneath the line:

@include common-auth

Add:

auth   required    pam_u2f.so

Test sudo

In a new terminal, test any command with sudo (make sure the yubikey is inserted). For example:

sudo apt update

Set up the YubiKey for GDM (the desktop login screen)

Open the gdm-password file in an editor:

sudo nano /etc/pam.d/gdm-password

Underneath the line:

 @include common-auth

Add:

auth    required    pam_u2f.so

Set up Yubikey to be required for TTY login

Open the PAM login file in an editor:

sudo nano /etc/pam.d/login

Underneath the line:

@include common-auth

Add:

auth  required    pam_u2f.so

Using the YubiKey to protect remote authentication

Add the required repository

 sudo add-apt-repository ppa:yubico/stable

Install the required package

sudo apt install libpam-yubico

Set up the authorized_yubikeys file

sudo nano /etc/ssh/authorized_yubikeys

Add a line for each users, similar to:

jay:<first 12 characters 

Get an API key

An API key is required to continue. Visit the following URL to get yours: https://upgrade.yubico.com/getapikey

Edit the sshd file for PAM

 sudo vim /etc/pam.d/sshd

Add a line such as the following (This must be the first line in the file):

auth required pam_yubico.so id=<CLIENT ID> key=<SECRET> authfile=/etc/ssh/authorized_yubikeys

Replace the <CLIENT ID> and <SECRET> with the details you receive from the API key URL.

Configure OpenSSH

Open the sshd_config file in an editor:

sudo nano /etc/ssh/sshd_config

Look for the ChallengeResponseAuthentication line, uncomment it if necessary, and set it to yes:

ChallengeResponseAuthentication yes

Make sure the UsePAM option is set to yes:

UsePam yes

Restart OpenSSH:

sudo systemctl restart ssh