Yubikey Manager Download
Hedy Paino
In a PAM configuration file if using yubikey,u2f-sufficient add an include line before or if using yubikey,u2f-required add it after a line that reads "auth substack system-auth" or "auth include system-auth". An include of yubikey-sufficient looks like this:
There are essentially two tools to use together with their respective GUI variants. 'yubikey-manager' and 'ykpersonalize'. The former is newer but supports less options than the latter. For all available options install both.
As of my own interest I was trying to get yubikey-manager, a cli interface to the yubikey, running on Sailfish to e. g. create OATH passwords.
It is working with some packages installed and then pip install it. I made a lot of progress with the help of @rinigus. But now I have no clue how to package the python stuff as well, so that I can make it available in sailfishos:chum finally and most likely try to write a GUI around it.
Lets start with reading in the attestation certificate and intermediate certificate.$attcertbin = (GC "$($env:TEMP)\yubico_attestation.cer") -replace '^-.*-$' -join '' -Replace '[^ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwx yz0123456789+/=]'$intcertbin = (GC "$($env:TEMP)\yubico_intermediate.cer") -replace '^-.*-$' -join '' -Replace '[^ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwx yz0123456789+/=]'Then we create the CSR extensions that we will use to store the certificates in the CSR.$CertExtAttestation = New-Object -ComObject X509Enrollment.CX509Extension$oidExtAtt = New-Object -ComObject X509Enrollment.CObjectId$oidExtAtt.InitializeFromValue('1.3.6.1.4.1.41482.3.11')$CertExtInt = New-Object -ComObject X509Enrollment.CX509Extension$oidExtInt = New-Object -ComObject X509Enrollment.CObjectId$oidExtint.InitializeFromValue('1.3.6.1.4.1.41482.3.2')# Second paramater is Encoding, and 1 = XCN_CRYPT_STRING_BASE64$CertExtAttestation.Initialize($oidExtAtt, 1, $attcertbin)$CertExtInt.Initialize($oidExtInt, 1, $intcertbin)Next lets open the private key so we can create a new CSR# We create a privatekey object and supply the length and pin.$privkey = New-Object -ComObject X509Enrollment.CX509PrivateKey$privkey.Length=2048$privkey.Pin ='123456'#Here we specify that Windows should look for this one as a Smart Card, and send in all cryptographic providers we find$privkey.ProviderName = "Microsoft Base Smart Card Crypto Provider";$CCspInformations = New-Object -ComObject X509Enrollment.CCspInformations$CCspInformations.AddAvailableCsps()$privkey.CspInformations =$CCspInformations$privkey.ContainerName = $Null$privkey.Open()Now we should have found the private key and can continue with the CSR. This will require a press on the yubikey if you have set that requirement.$CertificateSigningRequest = New-Object -ComObject X509enrollment.CX509CertificateRequestPkcs10$CertificateSigningRequest.InitializeFromPrivateKey(1, $privkey, '')$SubjectDN = New-Object -ComObject X509Enrollment.CX500DistinguishedName#the second paramater is X500NameFlags, and 0x0 = XCN_CERT_NAME_STR_NONE$SubjectDN.Encode('CN=There must be a DN in a CSR', 0x0)$CertificateSigningRequest.Subject = $SubjectDN$CertificateSigningRequest.X509Extensions.Add($CertExtAttestation)$CertificateSigningRequest.X509Extensions.Add($CertExtInt)#Requires interaction with private key and therefor press on yubikey depending on policy.$CertificateSigningRequest.Encode()Now we can take this and create the CSR file using the x509 enrollment file.$en = New-Object -ComObject X509enrollment.cx509enrollment$en.InitializeFromRequest($CertificateSigningRequest)# The only paramater is Encoding, and 1 = XCN_CRYPT_STRING_BASE64$en.CreateRequest(1)
Users of the sd-encrypt hook may install mkinitcpio-ykfdeAUR or mkinitcpio-ykfde-gitAUR and follow the instruction in the project documentation. The procedure is broadly similar to yubikey-full-disk-encryption.
PAM, and therefore anything which uses PAM for user authentication, can be configured to use a YubiKey as a factor of its user authentication process. This includes sudo, su, ssh, screen lockers, display managers, and nearly every other instance where a Linux system needs to authenticate a user. Its flexible configuration allows you to set whichever authentication requirements fit your needs, for the entire system, a specific application, or for groups of applications. For example, you could accept the YubiKey as an alternative to a password for local sessions, while requiring both for remote sessions. In addition to the Arch Wiki, You are encouraged to read pam(8) and pam.conf(5) to understand how it works and how to configure it.