OS: Elementary OS 0.4.1 Loki | Should work properly on other Debian based distro's, remember to change your screensaver command this might be different depending on the distro Yubikey: Yubikey II
This is a Short guide on how to get your Yubikey to work on Linux (Debian based) with the option to lock/unlock your screen using your Yubikey.
- Login with Yubikey + password required
- Screen unlocking by just inserting your Yubikey (only works after already beeing logged into the system)
- Single Udev rule to fire up a single script
- No screen flickering when using sudo commands, it will check if the key is physically removed rather then a challenge-response trigger.
- Using your Yubikey serial, this prevents others users to unlock the system with their Yubikey.
First we have to configure token for chalenge response, for this purpose install package
sudo apt-get install yubikey-personalization-gui
Then make following steps from Ubico forum
Install the following packages:
sudo apt-get install libpam-yubico
sudo apt-get install yubikey-personalization
Execute the following command for the users you want to be able to login (Using the Yubikey + password combination):
mkdir ~/.yubico
ykpamcfg -2 -v
This should create a file in ~/.yubico/challenge-XXXXXX
Make sure you also do this for your root user!
sudo ykpamcfg -2 -v
DOUBLE CHECK THIS!
Edit your pam.d auth file: Backup your current common-auth file:
sudo cp /etc/pam.d/common-auth /etc/pam.d/common-auth.BAK
sudo vi /etc/pam.d/common-auth (Note might be different when using another distro!)
My common-auth file:
# Use this to use both your password + Yubikey. You can comment this line if you want to JUST use your Yubikey (NOT RECCOMENDED)
auth required pam_unix.so nullok_secure try_first_pass
# The line below is required to be able to use your Yubikey
auth [success=1 new_authtok_reqd=ok default=die ignore=ignore] pam_yubico.so mode=challenge-response
# Default rules
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_ecryptfs.so unwrap
auth optional pam_cap.so
Check if your Yubikey is working open a new Terminal shell:
sudo su -
Try executing this with and without the Yubikey, when the Yubikey is removed you should NOT be able to login! Only continue if this works. if it doesn't work double check your common-auth file before continueing.
Create a udev rule to run a script if the Yubikey is inserted, changed or removed:
Get your Yubikey serial (To prevent other users for unlocking your screen):
udevadm monitor --environment --udev
now insert or remove your Yubikey!
look for a line like this:
ID_SERIAL_SHORT=0001711399
Copy or write your serial down! (Double check your ID_MODEL_ID with the above step, this should be 0010 if your using the same model as me)
sudo vi /etc/udev/rules.d/85-yubikey.rules (Double check 85 is the correct rule number for your distro)
insert the following:
# Yubikey Udev Rule: running a bash script in case your Yubikey is inserted, removed or triggered by challenge-response
ACTION=="remove|add|change", ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}=="0010", ENV{ID_SERIAL_SHORT}=="0001711399", RUN+="/usr/local/bin/yubikey"
Change the following: ENV{ID_SERIAL_SHORT}=="0001711399" with your own serial number found in the step above ENV{ID_MODEL_ID}=="0010" with yout model id
now create the actual bash script:
sudo vi /usr/local/bin/yubikey
Insert the followig code:
#!/bin/bash
# Double checking if the Yubikey is actually removed, Challenge-Response won't trigger the screensaver this way.
touch /tmp/test
USERNAME="wyhasany"
SESSION="$(loginctl list-sessions | grep ${USERNAME} | grep c | awk '{ print $1 }')"
result=$(lsusb | grep -e "Yubikey")
if [ $? -ne 0 ]; then
logger "YubiKey Removed or Changed"
# Running the Pantheon screensaver lock command
loginctl lock-session ${SESSION}
else
# Running the Pantheon screensaver unlock command
logger "YubiKey Found, Unlocking screensaver if found"
loginctl activate ${SESSION}
loginctl unlock-session ${SESSION}
fi
Make sure you change your user name (mine is joost): USERNAME="YOURUSERNAME"
IMPORTANT: If you're using another distro or graphical Linux shell change the screensaver commands: "loginctl..."
Reload your Udev rules:
sudo udevadm control --reload-rules
sudo service udev reload
Now check if its working (Should if followed correctly!)
Based on Yubico forum