Setting up the YubiKey on Ubuntu

Originally published at: Setting up the YubiKey on Ubuntu – LearnLinuxTV

I’ve recently had a chance to check out some newer YubiKeys, and decided to make a video on it. In this video, I’ll show you how to set up the YubiKey on Linux, with examples that include setting it up on your local laptop/desktop as well as using it to secure OpenSSH to a remote server.

2 Likes

Hello, Thanks for your videos they’ve been a great help learning Linux. I was configuring my new Yubikeys. But also as you’ve suggested always add backups. I’ve been able to add backups for everything so far except the PAM step:

pamu2fcfg > ~/.config/Yubico/u2f_keys

When performing this command to sink my keys with the system it only works on the last key I ran the command on. My first key no longer works to authorize access. Was there possibly an alternate command that would add the backup vs overwrite the original key? Thanks again.

System: Pop OS 21.10

If you use >> instead of >, then it will append rather than overwrite your file.

1 Like

An updated Yubikey video is very close to being done…

The current edit is around 54 minutes!

2 Likes

from the Yubico site, to append more keys:

pamu2fcfg -n >> ~/.config/Yubico/u2f_keys

it uses -n from the pamu2fcfg help:

-n, —nouser Print only registration information (keyHandle and public key). Useful for appending

Jay, first of all, thanks for this tutorial.

I successfully configured a Yubico Security Key for login, sudo, and TTY, tested and working good, I also added a second key for backup.

Today I was configuring a raspberrypi using the imager, when it comes to write the image to the card, the system prompts for the password, I guess this operation is privileged, but for this the yubikey was not required.

If the application is invoked from the terminal using sudo, the yubikey is required, but if an application is open from the GUI and it requires permission to do something the yubikey is bypassed.

I’m using Pop!_OS 22.04.

I’m wondering if auth required pam_u2f.so has to be put somewhere else to protect this.

Gabriel