From 6619d128b8197314fdface438cb449913789f7a8 Mon Sep 17 00:00:00 2001 From: w4tsn Date: Mon, 20 Feb 2023 20:31:33 +0100 Subject: [PATCH] pages/yubikey: fix key registration instructions The instructions to register a key with the local account were implicitly requiring challenge-response. Add the YubiCloud method based instructions and also add an explicit command to configure challenge-response in slot 2 of a key. --- modules/ROOT/pages/using-yubikeys.adoc | 35 +++++++++++++++++++------- 1 file changed, 26 insertions(+), 9 deletions(-) diff --git a/modules/ROOT/pages/using-yubikeys.adoc b/modules/ROOT/pages/using-yubikeys.adoc index 15ecc23..c4298da 100644 --- a/modules/ROOT/pages/using-yubikeys.adoc +++ b/modules/ROOT/pages/using-yubikeys.adoc @@ -49,15 +49,7 @@ Install the PAM yubico module from the official repositories: [source, bash] […]$ sudo dnf install pam_yubico -Register a currently connected YubiKey with your user account with - -[source, bash] -[…]$ ykpamcfg -2 -v - -Or for any other system user using sudo with - -[source, bash] -[…]$ sudo -u someuser ykpamcfg -2 -v +=== Base configuration files Create two base configuration files in /etc/pam.d. yubikey-required and yubikey-sufficient. @@ -99,6 +91,31 @@ auth sufficient pam_yubico.so mode=challenge-response You may add the debug option at the end of these lines right after the mode option to get troubleshooting information in journald. ==== +=== Register YubiKey(s) with your local account(s) + +If you use the online YubiCloud method you need the ID of your YubiKey. For this just enter the key and retrieve an OTP code with a short press on the button and extract the first 12 characters - this is your key ID. + +[source] +cccccbcgebif | bclbtjihhbfbduejkuhgvhkehnicrfdj + +Create a configuration file ~/.yubico/authorized_keys with your user account followed by key IDs separated by semicolons. + +[source] +fedora-user:cccccbcgebif[:] + +Alternatively, activate challenge-response in slot 2 and register with your user account. + +[source, bash] +[…]$ ykman otp chalresp --generate --touch 2 +[…]$ ykpamcfg -2 + +Or for any other system user using sudo. + +[source, bash] +[…]$ sudo -u someuser ykpamcfg -2 + +=== Configure desired PAM modules + Next configure PAM to accept a YubiKey as a means of authentication. There are many options in /etc/pam.d to modify and add a YubiKey, but the most common use-cases are: - /etc/pam.d/login