The YubiKey 4 is a multi-purpose USB key produced by Yubico.
It can be used for 2-factor authentication (OTP, U2F, OATH and static password) and as a CCID smartcard (both PIV and OpenPGP), visit the Yubico product page for a full list of features and a comparison with previous versions.
Contents
udev
If you have libu2f-host0 installed, you do not need the modification below, see 846359.
Up to jessie, to use the card as a non-root users, you need to add a line to /etc/udev/rules.d/99-yubikeys.rules to the tell udev either
- to give permissions to the plugdev group
# YubiKey 4 OTP+U2F+CCID
SUBSYSTEMS=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0407", GROUP="plugdev"to let systemd-logind (thanks to Sam Morris via Iaian Learmoth) adding the ACLs for the console user
# YubiKey 4 OTP+U2F+CCID
SUBSYSTEMS=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0407", TAG+="uaccess"By default, an even better configuration would be to merge the two lines:
# YubiKey 4 OTP+U2F+CCID
SUBSYSTEMS=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0407", GROUP="plugdev", TAG+="uaccess"
Configuration
Yubico develops various software to access the key, among them:
YubiKey Personalization to configure all the 2-factor authentication protocols
you need at least the jessie-backports version, i.e. >= 1.17.2-1, see 793101
Yubico PIV (Privilege and Identification Verification) for PKCS #11
OTP
The key does not have a battery, so for TOTP you need an external tools:
yubikey-totp to generate a TOTP code from a secret stored on the key.
- you need at least the version in stretch, i.e. 1.3.1-1
Yubico Authenticator to generate OATH-HOTP and OATH-TOTP one-time password codes from secretes protected by the key
Reset
If the Admin PIN counter reaches 0, the card is not bricked, but it can be reset to factory defaults. ATTENTION, this clear everything on the card!
See https://lists.gnupg.org/pipermail/gnupg-users/2013-March/046261.html (via https://lists.gnupg.org/pipermail/gnupg-users/2015-February/052378.html).
PIV
Check also Debian SSO (Single Sign-On) with a YubiKey.
OpenPGP
Links
Various interesting HowTo, especially useful if you are new to OpenPGP subkeys:
https://blog.josefsson.org/2014/06/23/offline-gnupg-master-key-and-subkeys-on-yubikey-neo-smartcard/
https://www.sidorenko.io/blog/2014/11/04/yubikey-slash-openpgp-smartcards-for-newbies/
Needed packages
To access the card you need GnuPG, the version in wheezy is fine for signing/encrypting.
However, if you want to use 4096-bits RSA keys, you need GnuPG 2.x, with the corresponding gpg-agent and scdaemon, at least the version in wheezy-backports, i.e. 2.0.25-1~bpo70+1.
GNOME Keyring
Please note that you need at least gnome-keyring 3.16.0-3 which disables the internal gpg-agent and relies on pinentry-gnome/gnupg-agent instead, see 773304.
For previous gnome-keyring versions, you should manually disables the internal gpg-agent and ssh-agent (if needed), see 623539:
$ mkdir -p ~/.config/autostart $ echo 'X-GNOME-Autostart-enabled=false' \ | cat /etc/xdg/autostart/gnome-keyring-gpg.desktop - \ >>~/.config/autostart/gnome-keyring-gpg.desktop $ echo 'X-GNOME-Autostart-enabled=false' \ | cat /etc/xdg/autostart/gnome-keyring-ssh.desktop - \ >>~/.config/autostart/gnome-keyring-ssh.desktop
OpenSSH authentication
This works out-of-the box on wheezy with GnuPG Agent and the corresponding scdaemon. You need to configure:
GnuPG to use the agent, in ~/.gnupg/gpg.conf
use-agent
GnuPG Agent to also act as an SSH agent, in ~/.gnupg/gpg-agent.conf:
enable-ssh-support
Once the agent started and the key plugged in, you can check if its authentication key has been added to the agent via the ssh-add -l command and then export the public key via the ssh-add -L command.
However, if you use GNOME Keyring, read this note.
License
This document is licensed under the terms of the GNU General Public License (GPL), version 2 or (at your option) any later version.