Hi everyone. It’s been a few months since I last posted and I wanted to let everyone (who probably already knows about this wonderful tool) know about something I’ve just started using full-time. If you aren’t familiar with it, there is a great “physical token” device out there called a “Yubikey.” The purpose of this device is to use as a second factor (among other purposes) so that even if a bad actor manages to get their hands on your userid and password, they still can’t log into a device / site without also physically possessing the token.
There is similar technology where a text message with a one-time use code is sent to your mobile phone, but I’m not a fan of that given that someone could clone your SIM and have that text message directed at them instead of you. This famously happened with Krebs on Security a few yearsa ago with his PayPal account.
The Yubikey is basically a USB device that you carry with you and you plug into your laptop’s USB type-A port when you want to log in. There is a USB type C version (and apparently a two-headed beast that is USB-C and Lightning for iPhone users) but this one works best for me. There is a little contact circle on it that lights up when the key is active and for some use cases, you touch that lighted circle for it to spit out the secret key associated with the device as if it were a USB keyboard attached to your laptop. For multi-factor login, you don’t have to do this, you simply have to have a secret installed to the second “slot” on the key using the HMAC-SHA1 algorithm, not FIDO (which requires online access to a centralized server – not the use case I’m looking for).
The Yubikey I purchased is the Yubikey 5 NFC which also includes the ability to do NFC communication with cell phones. I haven’t found a good use for that capability yet in my workflow, but I figured it was worth the extra few dollars to know that, if I do, I have the technology.
Setting up a Yubikey for multi-factor auth on Windows or Linux login isn’t exactly rocket science, but it is slightly challenging so I thought I’d document the process here. There are other places you can use your Yubikey such as SSH logins, validating your GitHub connectivity, accessing your password vault in a variety of tools (Lastpass and Keepass), getting into your Facebook account and others.
For Windows 10 on my laptop, I run the “Pro” version. There is software you can download from the Microsoft Store for Windows 10 Home / Windows Hello (if you have the IR camera capability on your laptop which I do not). Unfortunately it seems to be not a multi-factor solution but a “skip the login screen if you have your key inserted” which I’m not a fan of. I want true multi-factor auth in case someone steals my laptop and my Yubikey – I want them to have to know my password too.
To get the multi-factor auth software from Yubico that works in an offline mode with the HMAC-SHA1 secret on Windows 10 Pro, you do have to sign up for access to the early release code. At the time I wrote this, it was not generally available yet. However, before you install this software, you do need to configure the “slot 2” secret on your Yubikey. To do this, install the Yubikey Personalization Tool from their website. Run it with your Yubikey inserted into your laptop’s USB port.
Click on the “Challenge-Response” tab at the top and select the “HMAC-SHA1” button from the resulting screen. Select the “Configuration Slot 2” radio button, click the “Generate” button and then press “Write Configuration” to save it. You have the opportunity to save your key in a text file (which you can then print out if you wish to do so), but regardless, it will write the updated value to your device. Once you have done this one time, there is no need to repeat the process so please don’t make the mistake of setting up Windows with the key and then replacing the secret in your device when you do Linux. If you do so, you won’t be able to log into Windows again because you have wiped out the key’s secret when you reprogrammed it a second time.
OK. Down to setting this up in Windows. Before you do this, I strongly recommend that you create a local admin account so that if you mess things up, you can use it to log into your machine. After you have done this (and just for the sake of sanity, reboot and verify that the account works and that you didn’t fat finger something – better safe than sorry), install the software that Yubico sent you a link to when you signed up for the beta.
You will be asked to reboot. When you do so, your normal user account won’t work any more so you’ll have to log in as your local admin account you created above. If you aren’t super familiar with Windows, you can use the .\username approach to log in as a different local user. After logging in, you’ll need to run the Yubico Login Configurator application that you installed. You will want to indicate slot 2 as your source for your HMAC and to use the existing secret you already programmed into the key. Once you have selected this and moved to the next screen, you will be presented with a list of users to enable. Choose your regular user, insert your Yubikey and press “Next” to complete the process. At this point you should be able to reboot and log in as your regular user using your password and your Yubikey. If you’d like, delete the admin account so that the only way you can log into your laptop is with your password and your Yubikey (if you are feeling bold / paranoid like me).
To do this on Linux (in my case, Ubuntu 19.04), you’ll first want to install the libpam-yubico and yubikey-manager packages. On my particular version of Ubuntu, there was no need to add a third-party PPA as these packages were available in the default repositories. Next, run the command “ykpamcfg -2” from your user account that you want to enable for two factor authentication. Don’t use sudo for this, you’ll want it done as your regular user. You should see that it created an initial challenge and expected response file in ~/.yubico/challenge-####### where ####### is the serial number that is unique to your key.
Now, to configure your system to require the Yubikey for login, you’ll want to add the following line to your /etc/pam.d/gdm-password file (your location might be different if you aren’t using GDM as your login manager like I am) right above the @include common-auth line:
auth required pam-yubico.so mode=challenge-response
If you make a mistake with this and manage to lock yourself out of your system, you can boot from a rescue CD, mount your filesystem, remove that line (or fix the typo in it like I had to) and then reboot (or you can create another user, add them to the “sudo” group and then delete the additional account when you are sure everything is working). I run an encrypted filesystem so this ability to boot from a rescue CD doesn’t worry me as a back door, because an attacker would need to know the very complex password I have on my LUKS encryption. Also, you can secure LUKS with the Yubikey as well (more on that later). You should be able to reboot now and not log in unless you supply the correct password for your account along with having your Yubikey physically plugged into your machine.
If you’d like to require your Yubikey to use sudo on your account, then you can add that same line in /etc/pam.d/sudo in the same place. It works great but I personally found it to be a bit much to have to use the Yubikey every time I run a sudo command versus just when I log in or unlock my screen when the screen saver kicks in. It’s obviously up to you if you find the additional security to be worth the hassle.
If you’d really like to take things to the next level (and you run an LUKS encrypted filesystem like I do), then you can require your Yubikey to unlock your encrypted filesystem. First, install the package yubikey-luks. Then, edit the file at /usr/bin/yubikey-luks-enroll and modify the DISK variable to point to your encrypted volume. After doing that, run the script as root. You’ll be prompted for a new LUKS passphrase that will require your Yubikey (and you’ll have to provide your existing LUKS passphrase so that the change can be saved). Once you’ve done that, you should be able to reboot and the LUKS volume will only unlock with that new passphrase if the Yubikey is installed.