Yubikey

The #1 security key, offering strong two factor authentication from industry leader Yubico.

Ubuntu 2FA

Install requirements

sudo add-apt-repository ppa:yubico/stable && sudo apt-get update
sudo apt-get install libu2f-udev libpam-u2f

Initial configuration

mkdir ~/.config/Yubico
pamu2fcfg > ~/.config/yubico/u2f_keys

Adding extra key

pamu2fcfg -n >> ~/.config/yubico/u2f_keys

Testing configuration

To prompt the user to touch the key, set ‘cue’ at the end of the ‘auth required’ line

sudo nano /etc/pam.d/sudo
auth required pam_u2f.so authfile=/home/<user>/.config/yubico/u2f_keys

FIDO U2F (2FA for SSH)

Developers.yubico.com - SSH

$ ssh-keygen -t ecdsa-sk -f ~/.ssh/id_ecdsa_sk
Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/johndo/.ssh/id_ecdsa_sk
Your public key has been saved in /home/johndo/.ssh/id_ecdsa_sk.pub
The key fingerprint is:
SHA256:f2ca1bb6c7e907d06dafe4687e579fce76b37e4e93b7605022da52e6ccc26fd2 [email protected]
The key's randomart image is:
+-[ECDSA-SK 256]--+
|                 |
| o     . .       |
|oA.     + o      |
|.. .   x O +     |
|a   .   R * .    |
|-  . . . P o     |
|..  o . % + .    |
|   .  .!!! o .   |
|      .---X#o    |
+----[SHA256]-----+

Upload new key to SSH-target server.

ssh-copy-id -f -i <filename>.pub <user>@<target>

Test logging in with key.

$ ssh [email protected] -i id_ecdsa_sk
Enter passphrase for key '/home/johndo/id_ecdsa_sk': 
Confirm user presence for key ECDSA-SK SHA256:f2ca1bb6c7e907d06dafe4687e579fce76b37e4e93b7605022da52e6ccc26fd2
Last login: Wed May 12 08:29:50 2021 from 10.10.20.107
[email protected]:~$

URL list