Summary:
Requirements:
OS: Linux Mint 15 (Cinnamon) | Works on other Debian based distro's, remember to change your screensaver command this might be different depending on the distro
Yubikey: Yubikey II
Description:
This is a Short guide on how to get your Yubikey to work on Linux (Debian based) with the option to lock/unlock your screen using your Yubikey.
Features:
* Login with Yubikey + password required
* Screen unlocking by just inserting your Yubikey (only works after already beeing logged into the system)
* Single Udev rule to fire up a single script
* No screen flickering when using sudo commands, it will check if the key is physically removed rather then a challenge-response trigger.
* Using your Yubikey serial, this prevents others users to unlock the system with their Yubikey.
Tutorial:
Install the following packages:
Code:
sudo apt-get install libpam-yubico
sudo apt-get yubikey-personalization
Execute the following command for the users you want to be able to login (Using the Yubikey + password combination):
Code:
mkdir ~/.yubico
ykpamcfg -2 -v
This should create a file in ~/.yubico/challenge-XXXXXX
Make sure you also do this for your root user!
DOUBLE CHECK THIS!
Edit your pam.d auth file:
Backup your current common-auth file:
Code:
sudo cp /etc/pam.d/common-auth /etc/pam.d/common-auth.BAK
sudo vi /etc/pam.d/common-auth (Note might be different when using another distro!)
My common-auth file:
Code:
# Use this to use both your password + Yubikey. You can comment this line if you want to JUST use your Yubikey (NOT RECCOMENDED)
auth required pam_unix.so nullok_secure try_first_pass
# The line below is required to be able to use your Yubikey
auth [success=1 new_authtok_reqd=ok default=die ignore=ignore] pam_yubico.so mode=challenge-response
# Default rules
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_ecryptfs.so unwrap
auth optional pam_cap.so
IMPORTANT:
Check if your Yubikey is working open a new Terminal shell:
Code:
sudo su -
Try executing this with and without the Yubikey, when the Yubikey is removed you should NOT be able to login!
Only continue if this works. if it doesn't work double check your common-auth file before continueing.
Yubikey screen lock/unlock:
Create a udev rule to run a script if the Yubikey is inserted, changed or removed:
Get your Yubikey serial (To prevent other users for unlocking your screen):
Code:
udevadm monitor --environment --udev
now insert or remove your Yubikey!
look for a line like this:
Code:
ID_SERIAL_SHORT=0001711399
Copy or write your serial down!
(Double check your ID_MODEL_ID with the above step, this should be 0010 if your using the same model as me)
sudo vi /etc/udev/rules.d/85-yubikey.rules (Double check 85 is the correct rule number for your distro)
insert the following:
Code:
# Yubikey Udev Rule: running a bash script in case your Yubikey is inserted, removed or triggered by challenge-response
ACTION=="remove|add|change", ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}=="0010", ENV{ID_SERIAL_SHORT}=="0001711399", RUN+="/usr/local/bin/yubikey"
Change the following:
ENV{ID_SERIAL_SHORT}=="0001711399" with your own serial number found in the step above
now create the actual bash script:
Code:
sudo vi /usr/local/bin/yubikey
Insert the followig code:
Code:
#!/bin/bash
# Double checking if the Yubikey is actually removed, Challenge-Response won't trigger the screensaver this way.
USERNAME="joost"
result=$(lsusb | grep -e "Yubikey")
if [ $? -ne 0 ]; then
logger "YubiKey Removed or Changed"
# Running the Cinnamon screensaver lock command
/bin/su $USERNAME -c "DISPLAY=:0 /usr/bin/cinnamon-screensaver-command --lock"
else
# Running the Cinnamon screensaver unlock command
logger "YubiKey Found, Unlocking screensaver if found"
/bin/su $USERNAME -c "DISPLAY=:0 /usr/bin/cinnamon-screensaver-command -d"
fi
Make sure you change your user name (mine is joost):
USERNAME="YOURUSERNAME"
IMPORTANT:
If you're using another distro or graphical Linux shell change the screensaver command:
/bin/su $USERNAME -c "DISPLAY=:0 YOUR_SCREENSAVER_COMMAND_HERE"
Reload your Udev rules:
Code:
sudo udevadm control --reload-rules
sudo service udev reload
Now check if its working (Should if followed correctly!)
Triqster
Login
FAQ
Search
