|
Size: 2381
Comment: add Licence section
|
Size: 2922
Comment: add udev section
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 7: | Line 7: |
= udev = Up to jessie, to use the card as a non-root users, you need to add a line to ''/etc/udev/rules.d/99-yubikeys.rules'' to the tell udev either * to give permissions to the plugdev group {{{ SUBSYSTEMS=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0407", GROUP="plugdev" }}} * to let systemd-logind (thanks to [[https://iain.learmonth.me/yubikey-udev/|Sam Morris via Iaian Learmoth]]) adding the ACLs for the console user {{{ SUBSYSTEMS=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0407", TAG+="uaccess" }}} |
|
| Line 36: | Line 51: |
| To access the cards you need [[https://packages.debian.org/gnupg|GnuPG]], [[https://packages.debian.org/gnupg-agent|GnuPG Agent]] and [[https://packages.debian.org/scdaemon|GnuPG Smartcard Daemon]]. | To access the card you need [[https://packages.debian.org/gnupg|GnuPG]] and [[https://packages.debian.org/gnupg-agent|GnuPG Agent]], the version in wheezy are fine for signing/encrypting. |
The YubiKey 4 is a multi-purpose USB key produced by Yubico.
It can be used for 2-factor authentication (OTP, U2F, OATH and static password) and as a CCID smartcard (both PIV and OpenPGP), visit the Yubico product page for a full list of features and a comparison with previous versions.
Contents
udev
Up to jessie, to use the card as a non-root users, you need to add a line to /etc/udev/rules.d/99-yubikeys.rules to the tell udev either
- to give permissions to the plugdev group
SUBSYSTEMS=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0407", GROUP="plugdev"to let systemd-logind (thanks to Sam Morris via Iaian Learmoth) adding the ACLs for the console user
SUBSYSTEMS=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0407", TAG+="uaccess"
Configuration
Yubico develops various software to access the key, among them:
YubiKey Personalization to configure all the 2-factor authentication protocols
- you need at least the version in stretch, i.e. 1.17.2-1
Yubico PIV (Privilege and Identification Verification) for PKCS #11
OTP
The key does not have a battery, so for TOTP you need an external tools:
yubikey-totp to generate a TOTP code from a secret stored on the key.
- you need at least the version in stretch, i.e. 1.3.1-1
Yubico Authenticator to generate OATH-HOTP and OATH-TOTP one-time password codes from secretes protected by the key
PIV
Check also Debian SSO (Single Sign-On) with a YubiKey.
OpenPGP
To access the card you need GnuPG and GnuPG Agent, the version in wheezy are fine for signing/encrypting.
If you want to use 4096-bits RSA keys, you need GnuPG 2.x, with the corresponding gpg-agent and scdaemon, at least the version in wheezy-backports, i.e. 2.0.25-1~bpo70+1.
OpenSSH authentication
This works out-of-the box on wheezy when GnuPG Agent is acting also as an SSH agent (option enable-ssh-support in ~/.gnupg/gpg-agent.conf).
Once the key has been plugged in, you can check if its authentication key has been added to the SSH agent via the ssh-add -L command.
License
This document is licensed under the terms of the GNU General Public License (GPL), version 2 or (at your option) any later version.