====== Linux authentication with Yubikey ======

A basic procedure to use your [[https://www.yubico.com/|Yubikey]] instead of your password with sudo and session authentication on Fedora.

===== Installation =====

You must start by installing the necessary packages for U2F authentication.

''sudo dnf install pam-u2f pamu2fcfg''

Then you have to create the directory for the Yubikey.

''mkdir -p ~/.config/Yubico''

===== Save your Yubikey =====

Just plug your Yubikey in your computer then type the following command

''pamu2fcfg > ~/.config/Yubico/u2f_keys''

When the yubikey's light's flashing, you must touch it to validate the action.
In theory, you really should have a second Yubikey. If you have one, add it using

'' pamu2fcfg -n >> ~/.config/Yubico/u2f_keys''

===== sudo and login configuration =====

On Fedora, the best way to do it is by using ''authselect'' by typing

''sudo authselect select sssd'' ("sssd" being the PAM profile for authentication)

''sudo authselect enable-feature with-pam-u2f'' (or ''with-pam-u2f-2fa'' if you want real 2fa and not just replace your password)

You can check if it worked by typing

''authselect current''

You should see ''with-pam-u2f'' in the list

===== Final test =====

First, keep your current terminal open (to not be blocked out of your system if it didn't work as it should have).

Open a new terminal and type a command with sudo (i.e. ''sudo ls'')

It should ask you to touch your Yubikey instead of asking for your password !

{{:procedures:thumbs_up_cat_meme.png?nolink&400|}}