Creating the Yubikey PAM authentication policy

Obtaining the Yubikey token ID

The Yubikey token ID is a public identifier that uniquely identifies it. You can obtain the Yubikey token ID in several ways.

The quickest way of getting the token ID is to remove the last 32 characters of any OTP (One Time Password) generated by the Yubikey.

  1. Open a terminal.
  2. Long-touch the Yubikey.
  3. An OTP token will be output to the shell:
❯ cccccccgklgcvnkcvnnegrnhgrjkhlkfhdkclfncvlgj
bash: cccccccgklgcvnkcvnnegrnhgrjkhlkfhdkclfncvlgj: command not found

The corresponding token ID will be cccccccgklgc:

┊←       →┊┊←            32              →┊

If you'd like to experiment with other ways, you can activate the debug mode of a local Yubico PAM module and when authenticating with it. The ID will be printed out in the debug information. There is also a where you can enter the token above, select OTP as the source format and get the token ID as the Modhex encoded value.

Create system-wide Yubikeys mapping

The file /etc/yubikeys (as listed below), must contain the UNIX user name of the remote server and the Yubikey token ID separated by colons for each user. Example format:


So, continuing the example above and allowing the same Yubikey to authenticate with two different users:


Edit, then:

❯ chmod 644 /etc/yubikeys
Using individual Yubikey user mapping

Alternatively, an individual mapping file can be configured per user. In that case, the authfile directive should be removed.

First, create a .yubico folder inside the user's home:

❯ mkdir -m700 /home/<user>/.yubico

Then, add the Yubikey mapping to /home/<user>/.yubico/authorized_yubikeys:


results matching ""

    No results matching ""