The Yubikey token ID is a public identifier that uniquely identifies it. You can obtain the Yubikey token ID in several ways.
The quickest way of getting the token ID is to remove the last 32 characters of any OTP (One Time Password) generated by the Yubikey.
- Open a terminal.
- Long-touch the Yubikey.
- An OTP token will be output to the shell:
❯ cccccccgklgcvnkcvnnegrnhgrjkhlkfhdkclfncvlgj bash: cccccccgklgcvnkcvnnegrnhgrjkhlkfhdkclfncvlgj: command not found
The corresponding token ID will be
cccccccgklgcvnkcvnnegrnhgrjkhlkfhdkclfncvlgj ┊← →┊┊← 32 →┊
If you'd like to experiment with other ways, you can activate the debug mode of a local Yubico PAM module and when authenticating with it. The ID will be printed out in the debug information. There is also a https://demo.yubico.com/modhex.php where you can enter the token above, select OTP as the source format and get the token ID as the Modhex encoded value.
/etc/yubikeys (as listed below), must contain the UNIX user name of the remote server and the Yubikey token ID separated by colons for each user. Example format:
<user-1>:<yubikey-id-1> <user-2>:<yubikey-id-1> <user-3>:<yubikey-id-2>:<yubikey-id-3>
So, continuing the example above and allowing the same Yubikey to authenticate with two different users:
❯ chmod 644 /etc/yubikeys
Alternatively, an individual mapping file can be configured per user. In that case, the
authfile directive should be removed.
First, create a
.yubico folder inside the user's home:
❯ mkdir -m700 /home/<user>/.yubico
Then, add the Yubikey mapping to