The YubiKey 4 is a multi-purpose USB key produced by Yubico.

It can be used for 2-factor authentication (OTP, U2F, OATH and static password) and as a CCID smartcard (both PIV and OpenPGP), visit the Yubico product page for a full list of features and a comparison with previous versions.

udev

If you have libu2f-host0 installed, you do not need the modification below, see 846359.

Up to jessie, to use the card as a non-root users, you need to add a line to /etc/udev/rules.d/99-yubikeys.rules to the tell udev either

# YubiKey 4 OTP+U2F+CCID
SUBSYSTEMS=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0407", GROUP="plugdev"

# YubiKey 4 OTP+U2F+CCID
SUBSYSTEMS=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0407", TAG+="uaccess"

By default, an even better configuration would be to merge the two lines:

# YubiKey 4 OTP+U2F+CCID
SUBSYSTEMS=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0407", GROUP="plugdev", TAG+="uaccess"

Configuration

Yubico develops various software to access the key, among them:

OTP

The key does not have a battery, so for TOTP you need an external tools:

Reset

If the Admin PIN counter reaches 0, the card is not bricked, but it can be reset to factory defaults. ATTENTION, this clear everything on the card!

See https://lists.gnupg.org/pipermail/gnupg-users/2013-March/046261.html (via https://lists.gnupg.org/pipermail/gnupg-users/2015-February/052378.html).

PIV

Check also Debian SSO (Single Sign-On) with a YubiKey.

OpenPGP

Various interesting HowTo, especially useful if you are new to OpenPGP subkeys:

Needed packages

To access the card you need GnuPG, the version in wheezy is fine for signing/encrypting.

However, if you want to use 4096-bits RSA keys, you need GnuPG 2.x, with the corresponding gpg-agent and scdaemon, at least the version in wheezy-backports, i.e. 2.0.25-1~bpo70+1.

GNOME Keyring

Please note that you need at least gnome-keyring 3.16.0-3 which disables the internal gpg-agent and relies on pinentry-gnome/gnupg-agent instead, see 773304.

For previous gnome-keyring versions, you should manually disables the internal gpg-agent and ssh-agent (if needed), see 623539:

$ mkdir -p ~/.config/autostart
$ echo 'X-GNOME-Autostart-enabled=false' \
  | cat /etc/xdg/autostart/gnome-keyring-gpg.desktop - \
  >>~/.config/autostart/gnome-keyring-gpg.desktop
$ echo 'X-GNOME-Autostart-enabled=false' \
  | cat /etc/xdg/autostart/gnome-keyring-ssh.desktop - \
  >>~/.config/autostart/gnome-keyring-ssh.desktop

OpenSSH authentication

This works out-of-the box on wheezy with GnuPG Agent and the corresponding scdaemon. You need to configure:

use-agent

enable-ssh-support

Once the agent started and the key plugged in, you can check if its authentication key has been added to the agent via the ssh-add -l command and then export the public key via the ssh-add -L command.

However, if you use GNOME Keyring, read this note.

License

This document is licensed under the terms of the GNU General Public License (GPL), version 2 or (at your option) any later version.