Tip
Make sure
pcscd.service
(PC/SC Smart Card Daemon) is enabled on Arch Linux.
YubiKey
Dec 12, 2020
Notes about setting up a YubiKey on Linux (Arch Linux / Fedora).
Install the following packages:
$ sudo pacman -S pam-u2f yubikey-manager libfido2
$ sudo dnf install pam-u2f yubikey-manager libfido2 pamu2fcfg
Create /etc/u2f_keys
and append the output of pamu2fcfg
to it.
pamu2fcfg -n
will create the same output without a username. This is usefull for appending additional keys.
Add the line auth sufficient pam_u2f.so authfile=/etc/u2f_keys cue
to the top of any PAM config file in /etc/pam.d
. Such as sudo
, gdm-password
, polkit-1
.
This adds the YubiKey as an auth method. Sufficient means that only the key is needed. If the key is removed, password auth will be used as normal.
Create an SSH key like normal, but specify the ecdsa-sk
key type (sk stands for security key).
$ ssh-keygen -t ecdsa-sk
Then add the key to the remote machine as usual.
When the YubiKey is touched, it acts as a keyboard outputing an OPT and sending [ENTER].
To disable it:
$ ykman config usb --disable otp