Using your YubiKey
Notes on installing and setting up your YubiKey for various platforms and applications.
Introduction
The YubiKey is a hardware device manufactured by Yubico that provides a hardware, phishing resistant "second factor" enabling true multi-factor authentication: something you know (your password) and something you have (your YubiKey). It enables you to easily and securely log in to accounts by emitting one-time passwords or using a FIDO-based public/private key pair generated by the device.
Operation
- Simply plug it into an unused USB port.
- During certain types of authentication you will be prompted on screen to press the inset copper button marked with and (often lit) "Y".
Security Hints
- If you trust your environment (like at home) you can keep the YubiKey near or even plugged into your computer.
- In low trust environments (coffee shops, hotel rooms, etc.) keep your YubiKey with you at all times (in a pocket or purse), especially if step away from your computer, even briefly. If your computer is compromised, it won't be accessible without the YubiKey that you have on you.
- Do not use SMS text messages for multi-factor authentication. Your MFA is only as strong as the weakest method you have configured.
Enable YubiKey MFA for applications
See "Let's get your YubiKey to work" (from Yubico) on how to use MFA with: Gmail, LastPass, GitHub and many other services.
See also: How to Secure Your Google, Dropbox, and GitHub Accounts With a Yubikey
LastPass
This requires a YubiKey token (cover the button for approximately one second) on laptop/desktop to unlock LastPass.
- My Vault -> Account Settings -> Multifactor Options
- Set up one free option (e.g., Google Authenticator or LastPass Authenticator) - this is a useful backup
- YubiKey (an easier option) is available when using LastPass Premium ($12/year)
- Select the YubiKey option.
- Insert the YubiKey device into a USB port on your computer.
- Focus your cursor on the "YubiKey #1" field.
- Press the button on the YubiKey device.
- A long string of dots should appear in the YubiKey #1 field.
- Change the "YubiKey Authentication" status to "Enabled"
- Set "Enabled" ==> "Yes"
- Set "Permit Offline Access" ==> "Disallow"
- Press the Update button
- Enter your LastPass master password and press Confirm.
- YubiKey is now enabled for your LastPass account.
- If your phone supports NFC, you can touch the more recent Yubikeys against your phone to unlock on mobile.
For each Google account you have:
- Visit https://accounts.google.com/b/0/SmsAuthSettings#devices
- Enable TFA, and complete the phone verification process (phone will act as backup TFA).
- Click on "Security Keys" and follow instructions to add YubiKey.
- Return to the main page and add a second phone and/or print backup codes.
- As long as you have a backup, you can also install the YubiKey Authenticator app, and configure your account to use that for the backup TFA instead of SMS/phone - this is the same as the Google Authenticator app, except that it stores the credentials on your YubiKey instead of the phone.
- If you have funky devices/apps that don't support TFA, you can set an application specific password using that tab. This includes sending E-mail from your personal Gmail account using your civicactions.com IMAP, for instance.
GitHub
- Visit https://github.com/settings/two_factor_authentication/configure
- Enable TFA, and complete the phone verification process (phone will act as backup TFA).
- Then you can "Register new device" in the "Security keys" section
AWS Root Account
For each AWS account you have:
- Visit https://console.aws.amazon.com/iam/home?region=us-east-1#security_credential
- Under MFA, add a Virtual MFA device.
- Use YubiKey Authenticator app to scan the QR code, and enter the response code, then close and reopen the app and enter the second response code.
AWS IAM Account
Up to 8 different MFA devices can be assigned, with a combination of Yubikeys, hardware TOTP tokens and authenticator apps.
- Visit https://console.aws.amazon.com/iam/home?region=us-east-1#users
- Choose your user name
- Select the "Security Credentials" tab
- Under Multi-factor Authentication(MFA), select "Assign MFA device"
- Enter a Device Name and Select "Security Key"
- Allow your browser access to your Yubikey, if prompted
- Enter your Yubikey's pin, if prompted
- Touch your Yubikey when instructed
Linux
Locking your Machine with YubiKey
This will require the YubiKey (Two Factor Authentication) to be inserted to authenticate via PAM (login, sudo or screen unlock). Test this carefully in an alternate console session to ensure you don't lock yourself out! (If you do get locked out, you'll have to boot with a live CD and undo the changes in /etc/pam.d/. As this requires a reboot, your encrypted disk will require its passphrase again, which is the key to security here.)
This is required of CivicActions "privileged users" such as System Administrators, and it is our intention that it be standard practice for all CivicActions employees and contractors.
Installing the Yubico libpam module
In order to connect your YubiKey to the screen locking software on your computer, you need to:
Arch yubico-pam setup
pacaur -S yubico-pam
Fedora Yubico libpam module
Ubuntu/Xubuntu Yubico libpam module
sudo apt-get install libpam-yubico
Set up PAM MFA on Linux
PAM is the Pluggable Authentication Module used by GNU/Linux and Mac OS X to manage login authentication.
See Yubico GitHub page for complete documentation.
ykpamcfg -2 -v
Ubuntu autoconfiguration during installation of libpam-yubico
may already have placed a line like the following in either /etc/pam.d/common-auth
or /etc/pam.d/system-auth
. If not using Ubuntu (or the line is not there), edit /etc/pam.d/system-auth
(will need to sudo
) and add the following line at the top of the file:
auth required pam_yubico.so mode=challenge-response
Linux YubiKey removal lock
For additional security, you may want to immediately lock the screen when the YubiKey is removed.
This locks the laptop immediately when any YubiKey is removed. If you are not using xautolock as your "away detector", replace xautolock with a command to trigger your screen lock with the "away detector" that you do use. This is inspired by https://vtluug.org/wiki/Yubikey#Automatic_Screen_Locking_.28i3lock.2C_slock.2C_etc..29
As your login user, create executable file ~/bin/ykgone
:
#!/bin/bash
USER=$(stat -c "%U" "$0")
if usb-devices | fgrep Vendor=1050; then
echo "YubiKey present"
else
echo "YubiKey not present, locking"
export DISPLAY=":0"
export XAUTHORITY=/home/$USER/.Xauthority
su $USER -c "xautolock -locknow" &
fi
Next, create (with sudo) a device notification file /etc/udev/rules.d/90-yubikey.rules
:
ACTION=="remove", ATTRS{idVendor}=="1050", RUN+="/home/$USER/bin/ykgone"
Personalize your YubiKey on Linux
This allows you to use your YubiKey with Google MFA (new fangled U2F), as well as LastPass (which uses the OTP application).
neoman
# Enable OTP, U2F, CCID checkboxes if needed, follow instructions to add and remove key
ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible
Mac OS X
This is the Mac OS X specific documentation for YubiKey.
Please help make this page more useful by adding links you found useful (describe exactly how they are useful) and specific steps you used to install, configure, and test your YubiKey.
Mac OSX YubiKey tool
This should be straightforward, but waiting for a pull request that clearly explains how to:
- Enable
OTP
,U2F
&CCID
- Personalize Configuration Slot 2 with options:
chal-resp
(Set challenge-response mode)chal-hmac
(Generate HMAC-SHA1 challenge responses)hmac-lt64
(Calculate HMAC on less than 64 bytes input)serial-api-visible
(Allow serial number to be read using an API call)
Install apps
See:
- https://support.yubico.com/hc/en-us/articles/360013790219-Getting-Started-with-the-YubiKey-on-macOS
- https://www.yubico.com/why-yubico/for-businesses/computer-login/mac-os-login/
- https://www.yubico.com/2016/09/yubikey-smart-card-support-for-macos-sierra-2/
tbd...
Set up PAM MFA on MacOS
tbd...
Screen lock on lid close or idle
tbd...
Away detection ideas
Exceptions to the "idle timeout lock" can be made if you are on your home network and feel that it is secure. Adapt the below script if you only want to lock your screen when you are away from home.
Assuming ~/bin/
is in your $PATH
, and you want to see if a file is on a Windows server, create executable file ~/bin/out-lock
:
#!/bin/sh
MOUNT="$HOME/mountain"
# Checks if server is mounted
if [ ! -d "$MOUNT" ]
then
SERVER_IP="192.168.1.1"
SHARE_NAME="share"
USERNAME="admin"
PASSWORD="password"
FILE="home.txt"
mount_smbfs //$USERNAME:$PASSWORD@$SERVER_IP/$SHARE_NAME $MOUNT
fi
contents=$(cat $MOUNT/$FILE)
hash=`echo -n $contents | shasum -a 256`
cuthash=`echo $hash | cut -c1-64`
if [ "$cuthash" != "7147a8f255f49cb7693dcd19b6b46e139680d48a03e0a075ea237deb7e6bacc9" ]
then
# Lock Screen
/System/Library/CoreServices/Menu\ Extras/User.menu/Contents/Resources/CGSession -suspend
fi
The "cron" or launchctl file located at $HOME/Library/LaunchAgents/com.dan.outlock.plist might look like this to run every 15 minutes:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.dan.outlock</string>
<key>ProgramArguments</key>
<array>
<string>/bin/out-lock</string>
</array>
<key>Nice</key>
<integer>1</integer>
<key>StartInterval</key>
<integer>900</integer>
<key>RunAtLoad</key>
<true/>
</dict>
</plist>
MacOS YubiKey removal lock
tbd...