===== Using a YubiKey as two-factor authentication for Debian desktops =====
This guide will show you how to use your YubiKey as a hardware crypto device for local logins. This will not replace your login password, but it will only allow your user account to log in if the YubiKey is present. If not, any password you enter (including the correct one) will be considered "wrong".
An "attacker" (or really, some guy in the office trying to guess your password) would not be able to see any difference between a genuinely wrong password or the YubiKey not being plugged in.
----
\\
==== Adding a challenge response slot to your YubiKey ====
You will probably use OTP functionality (using HID emulation) in the first slot. This requires constant queries to a server, which is not really ideal for logging in to a local machine. (Let's say you're not connected to the internet all the time.) However, you can also add a challenge response slot next to the OTP slot, which works locally and does not depend on back-end servers. (It also isn't affected by scancode problems Dvorak users have to deal with.)
For this, you will need the YubiKey Personalization tool in Debian/main:
sudo apt install yubikey-personalization
Make sure your YubiKey is plugged in, and run this command (the ''-2'' stands for slot 2):
ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible
And commit with ''Y''.
----
\\
==== Creating a challenge file ====
Now you have your YubiKey set up, it is time to create a challenge file. This requires the ''ykpamcfg'' tool from Debian/main:
sudo apt install libpam-yubico
Run this command afterwards:
ykpamcfg -2 -v
This will create a file in ''~/.yubico'' called ''challenge-$serialnumber''.
Rename the ''challenge'' part to your user name. So for instance, if your user name is ''cindy'' and the serial number of your YubiKey is ''246837'', run:
mv ~/.yubico/challenge-246837 ~/.yubico/cindy-246837
\\
=== Placing the challenge file ===
It's best to move the challenge file outside of your user directory (for instance, you might be using ecryptfs) and set strong permissions.
sudo mv ~/.yubico /var/yubico
sudo chown -R root:root /var/yubico
sudo chmod 700 /var/yubico
sudo chmod 600 /var/yubico/cindy-246837
----
\\
==== Setting up PAM ====
First off, open a root terminal in case you mess it up.
sudo -s
Then, open **another** terminal and run:
sudo dpkg-reconfigure libpam-yubico
When it asks for the configuration line, delete everything and add this:
mode=challenge-response chalresp_path=/var/yubico
Then hit ''''.
Now it will ask you to select the PAM profiles you wish to enable.
Make sure that the ''Yubico authentication with YubiKey'' option is enabled (''[*]'') and hit ''''.
----
\\
==== Testing the authentication ====
Remove your YubiKey and open a **new** terminal. Then try to become root with ''sudo'':
sudo -s
Enter your password. It should print ''Sorry, try again.'' even though your password is correct.
Hit ''Ctrl+C'' and plug in your YubiKey. Then try again:
sudo -s
Enter your password. It should now show a root prompt.\\
\\
=== Session logins ===
This same mechanism also works with tty logins, display managers and lock screens. Your YubiKey **must** be present for any password to work. And if you plug in your YubiKey after starting the authentication (in GDM, this means clicking your user name), you must cancel it first and retry with the YubiKey present.
----