Creating the Yubikey PAM authentication policy
Obtaining the Yubikey token ID
The Yubikey token ID is a public identifier that uniquely identifies it. You can obtain the Yubikey token ID in several ways.
The quickest way of getting the token ID is to remove the last 32 characters of any OTP (One Time Password) generated by the Yubikey.
- Open a terminal.
- Long-touch the Yubikey.
- An OTP token will be output to the shell:
❯ cccccccgklgcvnkcvnnegrnhgrjkhlkfhdkclfncvlgj
bash: cccccccgklgcvnkcvnnegrnhgrjkhlkfhdkclfncvlgj: command not found
The corresponding token ID will be cccccccgklgc:
cccccccgklgcvnkcvnnegrnhgrjkhlkfhdkclfncvlgj
┊← →┊┊← 32 →┊
If you'd like to experiment with other ways, you can activate the debug mode of a local Yubico PAM module and when authenticating with it. The ID will be printed out in the debug information. There is also a https://demo.yubico.com/modhex.php where you can enter the token above, select OTP as the source format and get the token ID as the Modhex encoded value.
Create system-wide Yubikeys mapping
The file /etc/yubikeys (as listed below), must contain the UNIX user name of the remote server and the Yubikey token ID separated by colons for each user. Example format:
<user-1>:<yubikey-id-1>
<user-2>:<yubikey-id-1>
<user-3>:<yubikey-id-2>:<yubikey-id-3>
So, continuing the example above and allowing the same Yubikey to authenticate with two different users:
root:cccccccgklgc
foobar:cccccccgklgc
Edit, then:
❯ chmod 644 /etc/yubikeys
Using individual Yubikey user mapping
Alternatively, an individual mapping file can be configured per user. In that case, the authfile directive should be removed.
First, create a .yubico folder inside the user's home:
❯ mkdir -m700 /home/<user>/.yubico
Then, add the Yubikey mapping to /home/<user>/.yubico/authorized_yubikeys:
<user>:<yubikey-id-1>