The YubiKey 4 is a multi-purpose USB key produced by Yubico.

It can be used for 2-factor authentication (OTP, U2F, OATH and static password) and as a CCID smartcard (both PIV and OpenPGP), visit the Yubico product page for a full list of features and a comparison with previous versions.

Contents

  1. udev
  2. Configuration
  3. OTP
  4. PIV
  5. OpenPGP
    1. OpenSSH authentication
  6. License

udev

Up to jessie, to use the card as a non-root users, you need to add a line to /etc/udev/rules.d/99-yubikeys.rules to the tell udev either 

SUBSYSTEMS=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0407", GROUP="plugdev"

SUBSYSTEMS=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0407", TAG+="uaccess"

Configuration

Yubico develops various software to access the key, among them:

OTP

The key does not have a battery, so for TOTP you need an external tools:

PIV

Check also Debian SSO (Single Sign-On) with a YubiKey.

OpenPGP

To access the card you need GnuPG and GnuPG Agent, the version in wheezy are fine for signing/encrypting.

If you want to use 4096-bits RSA keys, you need GnuPG 2.x, with the corresponding gpg-agent and scdaemon, at least the version in wheezy-backports, i.e. 2.0.25-1~bpo70+1.

OpenSSH authentication

This works out-of-the box on wheezy when GnuPG Agent is acting also as an SSH agent (option enable-ssh-support in ~/.gnupg/gpg-agent.conf).

Once the key has been plugged in, you can check if its authentication key has been added to the SSH agent via the ssh-add -L command.

License

This document is licensed under the terms of the GNU General Public License (GPL), version 2 or (at your option) any later version.