Configuring HMAC-SHA1 Challenge-Response
The first step is to set up the Yubikey for HMAC-SHA1 Challenge-Response authentication. This can be done either with the Yubikey Personalization Tool or via the ykpersonalize command-line utility.
Using the ykpersonalize command-line utility
First, start by installing ykpers:
❯ brew install ykpers
Then:
❯ ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -ochal-btn-trig
Which basically means:
- Use slot 2 (
-2) - Set challenge-response mode (
-ochal-resp) - Generate HMAC-SHA1 challenge responses (
-ochal-hmac) - Calculate HMAC on less than 64 bytes input (
-ohmac-lt64) - The Yubikey will allow its serial number to be read using an API call (
-oserial-api-visible). -
Using the Yubikey Personalization Tool
- Plug in your Yubikey
- Click Challenge-Response
- Select HMAC-SHA1 mode
- Choose Configuration Slot 2
- Select Require user input (button press)
- Select Variable input as HMAC-SHA1 mode
- Click Write Configuration and don't save any logging file as it exposes the secret key written to the Yubikey
Generating the initial challenge
Install pam_yubico:
❯ brew install pam_yubico
❯ mkdir -m0700 -p ~/.yubico
Generate the initial challenge request:
❯ ykpamcfg -2
Enable Challenge-Response authentication module
Confirm the pam_yubico.so file exists to avoid being locked out of sudo:
❯ test -e /usr/local/opt/pam_yubico/lib/security/pam_yubico.so && echo "File exists, you may proceed."
Start a new shell session with sudo just to make sure you can still find your way out in case there is an error with the PAM file.
Then edit /etc/pam.d/sudo on another shell session and add the following line as the first one:
auth required /usr/local/opt/pam_yubico/lib/security/pam_yubico.so mode=challenge-response
Confirm you need to touch the Yubikey by running the following command on a new shell session:
❯ sudo -l
Notice that you will actually need to touch the Yubikey twice - one to verify the current challenge on file and another to generate a new challenge-response on success.