Product SiteDocumentation Site

3.4. Multifactor Authentication Solutions

3.4.1. Yubikey

Yubikey is a hardware authentication token that utilizes open source software to operate. This token is a simple USB device that appears as a keyboard to your computer. The single touch button on the token provides a one time password (OTP) with each push that can be used to authenticate a user. Currently there are several different implementations of this solution of which we'll cover here.

3.4.1.1. Using Yubikey with a centralized server

A PAM module already exists in the Fedora repositories that allow authentication of computers that can contact an authentication server. The server can either be setup at the domain level or the Yubico's servers can be utilized. This method of authentication is a great enterprise solution where multiple users may need access to multiple computers on the domain. The steps below describe this setup.
  1. Install pam_yubico
  2. For two factor authentication open /etc/pam.d/gdm-password and locate the following line:
    auth substack password-auth
    In a new line after this add:
    auth sufficient pam_yubico.so id=16
  3. To simple use the yubikey token without your password remove the first line from the step above and replace it with the second.
  4. Locate the yubikey token for the first yubikey you will be adding. This can be done by looking at the first 12 characters of any OTP or visit http://radius.yubico.com/demo/Modhex_Calculator.php and copy the Modhex encoded string after you enter an OTP into the textbox on the page.
  5. Add user's yubikeys to the config file. This can be done either globally in /etc/yubikey_mapping or by individual user in ~/.yubico/authorized_yubikeys. The following is the syntax:
    username:yubikey_token:another_yubikey_token
  6. Logout, when you attempt to log back in you should either be prompted to enter both your password and your yubikey OTP or both depending on how you configured your system.

Note

A connection to the authentication server is required or proper authentication will not occur. This can be detrimental to systems that do not have constant network connectivity.

3.4.1.2. Authenticating to websites with your Yubikey

While outside the scope of this guide Yubikey allows you to authenticate to websites supporting this authentication method. These websites typically support Yubico's authentication servers but some can be setup similar to the above centralized authentication. Yubico also provides OpenID services that can be utilized with certain websites.