mirror of
https://pagure.io/fedora-docs/quick-docs.git
synced 2024-11-28 14:56:35 +00:00
pages/yubikey: fix key registration instructions
The instructions to register a key with the local account were implicitly requiring challenge-response. Add the YubiCloud method based instructions and also add an explicit command to configure challenge-response in slot 2 of a key.
This commit is contained in:
parent
eae11f0488
commit
6619d128b8
1 changed files with 26 additions and 9 deletions
|
@ -49,15 +49,7 @@ Install the PAM yubico module from the official repositories:
|
|||
[source, bash]
|
||||
[…]$ sudo dnf install pam_yubico
|
||||
|
||||
Register a currently connected YubiKey with your user account with
|
||||
|
||||
[source, bash]
|
||||
[…]$ ykpamcfg -2 -v
|
||||
|
||||
Or for any other system user using sudo with
|
||||
|
||||
[source, bash]
|
||||
[…]$ sudo -u someuser ykpamcfg -2 -v
|
||||
=== Base configuration files
|
||||
|
||||
Create two base configuration files in /etc/pam.d. yubikey-required and yubikey-sufficient.
|
||||
|
||||
|
@ -99,6 +91,31 @@ auth sufficient pam_yubico.so mode=challenge-response
|
|||
You may add the debug option at the end of these lines right after the mode option to get troubleshooting information in journald.
|
||||
====
|
||||
|
||||
=== Register YubiKey(s) with your local account(s)
|
||||
|
||||
If you use the online YubiCloud method you need the ID of your YubiKey. For this just enter the key and retrieve an OTP code with a short press on the button and extract the first 12 characters - this is your key ID.
|
||||
|
||||
[source]
|
||||
cccccbcgebif | bclbtjihhbfbduejkuhgvhkehnicrfdj
|
||||
|
||||
Create a configuration file ~/.yubico/authorized_keys with your user account followed by key IDs separated by semicolons.
|
||||
|
||||
[source]
|
||||
fedora-user:cccccbcgebif[:<another-key-id>]
|
||||
|
||||
Alternatively, activate challenge-response in slot 2 and register with your user account.
|
||||
|
||||
[source, bash]
|
||||
[…]$ ykman otp chalresp --generate --touch 2
|
||||
[…]$ ykpamcfg -2
|
||||
|
||||
Or for any other system user using sudo.
|
||||
|
||||
[source, bash]
|
||||
[…]$ sudo -u someuser ykpamcfg -2
|
||||
|
||||
=== Configure desired PAM modules
|
||||
|
||||
Next configure PAM to accept a YubiKey as a means of authentication. There are many options in /etc/pam.d to modify and add a YubiKey, but the most common use-cases are:
|
||||
|
||||
- /etc/pam.d/login
|
||||
|
|
Loading…
Reference in a new issue