YubiKey brain. How to make Ubuntu 22.04.1 LTS friends with a hardware security key?

  • We connect the repositories, install the software and the necessary libraries.

  • We connect the PKCS module for our yubik.

  • We initialize the device (the item is optional if you have already configured all pin,puk,managment-key… – you don’t need to change anything).

  • We set up a two-factor system in the system through 2FA.

  • We edit the sudo, gdm, login configs (there is maximum care here, I advise you to prepare a root terminal for every fireman or if you are a risky guy (like me), you can immediately make yourself a bootable USB flash drive with live mode so that when everything flies off, boot from it, mount the disk and fix what you did there ^_^).

  • Set up the ssh client configuration, generate a PUB key (access to remote servers only with ubik).

  • enjoy the result)

Installing Utilities and Libraries

We check the repositories, they should be default, if they changed, return them.

I’ll leave the repositories just in case
sudo nano /etc/apt/sources.list
deb http://ru.archive.ubuntu.com/ubuntu/ jammy universe
deb http://ru.archive.ubuntu.com/ubuntu/ jammy multiverse
deb http://security.ubuntu.com/ubuntu jammy-security universe
deb http://ru.archive.ubuntu.com/ubuntu/ jammy main restricted
deb http://security.ubuntu.com/ubuntu jammy-security multiverse
deb http://ru.archive.ubuntu.com/ubuntu/ jammy-updates universe
deb http://ru.archive.ubuntu.com/ubuntu/ jammy-updates multiverse
deb http://security.ubuntu.com/ubuntu jammy-security main restricted
deb http://ru.archive.ubuntu.com/ubuntu/ jammy-updates main restricted
deb http://ru.archive.ubuntu.com/ubuntu/ jammy-backports main restricted universe multiverse
sudo apt update
 #Устанавливаем библиотеки и софт для работы
 sudo apt install -y ykcs11 yubico-piv-tool yubikey-manager scdaemon yubikey-personalization opensc libnss3-tools

A separate utility deserves special attention pamu2fcfg. Included with libpam-u2f. You need version 1.0.8-1.

#Проверяем версию
sudo apt-cache policy pamu2fcfg

If this is not observed, download the archive or connect the ubuntu 20.04 repository and download it from there.

I’ll leave the repositories here as well.
sudo nano /etc/apt/sources.list
deb http://archive.ubuntu.com/ubuntu/ focal main restricted universe multiverse
deb-src http://archive.ubuntu.com/ubuntu/ focal main restricted universe multiverse
deb http://archive.ubuntu.com/ubuntu/ focal-updates main restricted universe multiverse
deb http://archive.ubuntu.com/ubuntu/ focal-security main restricted universe multiverse
deb http://archive.ubuntu.com/ubuntu/ focal-backports main restricted universe multiverse
deb-src http://archive.ubuntu.com/ubuntu/ focal-updates main restricted universe multiverse
deb-src http://archive.ubuntu.com/ubuntu/ focal-security main restricted universe multiverse
deb-src http://archive.ubuntu.com/ubuntu/ focal-backports main restricted universe multiverse
deb http://archive.canonical.com/ubuntu focal partner
deb-src http://archive.canonical.com/ubuntu focal partner
sudo apt update
sudo apt install -y pamu2fcfg=1.0.8-1
#Не забываем вернуть репозитории!)

We connect the PKCS module for our yubik.

First, insert the key into the usb-connector.

#Включаем демон pcscd который координирует связь приложений со смарт картами и криптографическими токенами 
sudo systemctl start  pcscd.service
sudo systemctl enable  pcscd.service

#затем подключаем модуль
cd .pki/nssdb/

#проверяем что модуля нет
modutil -list -dbdir . 
modutil -dbdir . -add "Yubikey" -libfile /usr/lib/x86_64-linux-gnu/libykcs11.so

#проверяем что модуль есть)
modutil -list -dbdir . 

Key initialization.

There is a detailed manual on the official website, but for dear Khabrovites I will leave it here
# default PIN - 123456
ykman piv change-pin

# default PUK - 12345678
ykman piv change-puk

# generate MGM key stored on device and protected by PIN
ykman piv change-management-key 

# Generate Slot 9a PIV Authentication (authenticate the card and the cardholder)
yubico-piv-tool -s 9a -a generate --touch-policy=always --pin-policy=never -o public.pem -k
yubico-piv-tool -s 9a -a request-certificate --touch-policy=always --pin-policy=never -i public.pem -o cert.csr -k -S "/CN=InsertNewName/"
# подписать на CA ноуте
yubico-piv-tool -a import-certificate --touch-policy=always --pin-policy=never -s 9a -i ~/Documents/NewName.crt -k
yubico-piv-tool -a status

We set up a two-factor system in the system through 2FA.

Everything is executed from an unprivileged user. Yubikey must be connected.

mkdir -p ~/.config/Yubico
pamu2fcfg > ~/.config/Yubico/u2f_keys
sudo mv ~/.config/Yubico /etc/Yubico
sudo chown root:root /etc/Yubico/u2f_keys

Edit sudo,gdm,login configs.

sudo sed -i -e '/^@include common-auth.*/a auth       required   pam_u2f.so authfile=/etc/Yubico/u2f_keys ' /etc/pam.d/sudo
sudo sed -i -e '/^@include common-auth.*/a auth       required   pam_u2f.so authfile=/etc/Yubico/u2f_keys ' /etc/pam.d/gdm-password
sudo sed -i -e '/^@include common-auth.*/a auth       required   pam_u2f.so authfile=/etc/Yubico/u2f_keys ' /etc/pam.d/login

Set up the ssh client configuration, generate a PUB key.

cat <<EOF > ~/.ssh/config
Host *
 PKCS11Provider /usr/lib/x86_64-linux-gnu/libykcs11.so
 GSSAPIAuthentication no
 HashKnownHosts yes
# ControlMaster auto
# ControlPath ~/.ssh/cm_socket/%r@%h:%p
EOF

ssh-keygen -D /usr/lib/x86_64-linux-gnu/libykcs11.so -e

That’s all 🙂

Similar Posts

Leave a Reply Cancel reply