The first step is to set up the Yubikey for HMAC-SHA1 Challenge-Response authentication. This can be done either with the Yubikey Personalization Tool or via the
ykpersonalize command-line utility.
First, start by installing
❯ brew install ykpers
❯ ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -ochal-btn-trig
Which basically means:
- Use slot 2 (
- Set challenge-response mode (
- Generate HMAC-SHA1 challenge responses (
- Calculate HMAC on less than 64 bytes input (
- The Yubikey will allow its serial number to be read using an API call (
- Plug in your Yubikey
- Click Challenge-Response
- Select HMAC-SHA1 mode
- Choose Configuration Slot 2
- Select Require user input (button press)
- Select Variable input as HMAC-SHA1 mode
- Click Write Configuration and don't save any logging file as it exposes the secret key written to the Yubikey
❯ brew install pam_yubico ❯ mkdir -m0700 -p ~/.yubico
Generate the initial challenge request:
❯ ykpamcfg -2
pam_yubico.so file exists to avoid being locked out of
❯ test -e /usr/local/opt/pam_yubico/lib/security/pam_yubico.so && echo "File exists, you may proceed."
Start a new shell session with
sudo just to make sure you can still find your way out in case there is an error with the PAM file.
/etc/pam.d/sudo on another shell session and add the following line as the first one:
auth required /usr/local/opt/pam_yubico/lib/security/pam_yubico.so mode=challenge-response
Confirm you need to touch the Yubikey by running the following command on a new shell session:
❯ sudo -l
Notice that you will actually need to touch the Yubikey twice - one to verify the current challenge on file and another to generate a new challenge-response on success.