I recently got a YubiKey FIDO U2F as part of Yubico and Github’s bromance sale at a fairly heavy discount of $13 off! Mine, including shipping, cost $11. They had issues with the initial keys they sent out being partially configured – if you tried to force setup the FIDO U2F it would brick the key. So now I have two – one that will do HMAC and static passwords (didn’t test anything else, for fear of bricking the key) and another that is a fully working FIDO U2F!
I use the Google Authenticator PAM module to force the use of 2 Factor Auth (2FA) for all my servers. I have a secret pre-made, and it’s already in the Google Authenticator app on my Note 2. I’ll save setting up and configuring the PAM module for another post, this post if just for getting your YubiKey to use the Google PAM module.
First, you need to download the YubiKey personalisation application. It is available here. The GUI tool will also install the command line tools, which we’ll need later. After you’ve installed the personalisation tools and restarted your machine, open them up and insert your YubiKey.
YubiKey Personalisation Tools without the key inserted
YubiKey Personalisation Tools with the key inserted
We’ll remove the configuration for Slot 2. This is under Tools
After you select the relevant slot (in my case, Slot 2), click Delete. You will then see the right hand side notice saying that only Slot 1 is configured
Next we will download and run the yubi_goog python script. This will convert the ssh user’s secret key (generated by Google or something else) into a useable format. For this example, my secret key is JBSWY3DPEHPK3PXP.
wget https://raw.githubusercontent.com/Ramblurr/yubi-goog/master/yubi_goog.py chmod +x yubi_goog.py
Now we’ll convert the secret key into a YubiKey friendly format.
./yubi_goog.py --convert-secret Google key: JBSWY3DPEHPK3PXP 48656c6c6f21deadbeef
So the script has converted JBSWY3DPEHPK3PXP to 48656c6c6f21deadbeef. We’ll put this into the YubiKey’s configuration for Slot 2.
Click Write Configuration
Now we’ll jump back to the command line, and see if our seed works. I have the seed on my phone already using a QR code and the Google Authenticator app. The QR code is below so you can verify.
Since the YubiKey doesn’t have a battery, it doesn’t know what time it is. Thus, it makes time based OTP a pain in the ass. To get the OTP from the YubiKey, we need to issue a challenge response to it on the correct slot.
ykchalresp -t -6 -2 710876
ykchalresp is included with the personalisation tools app, and does the actual challenge response with the YubiKey by passing in the time ( -t flag ), the number of digits we want back ( -6 flag, for 6 digits ), and the slot ( -2 for slot 2, default is -1 or slot 1 ). If we run this, and hit the button, we’ll get the OTP back, which is 710876. You can confirm this by checking with the output from the Google Authenticator App on your phone – keep in mind that there might be a small bit of clock skew just before or just after the 30 second time window changes.