Most people are aware of the various computer data breach incidents and password dumps that have occurred over the last few years. You can even visit Have I Been Pwned (HIBP) to find out if your email address is included among over five billion compromised accounts. Think about that for a second, we have a plethora of data dumps with email addresses, usernames, passwords and other personally identifiable information (PII) circling the internet and yet a greater percentage of folks are still satisfied with only a username and password.
Fortunately, a few vendors have stepped up and are now requiring a Time-based One-time Password (TOTP) from a Mobile Authenticator Application or any number of other Multi-Factor Authentication (MFA) options in conjunction with the traditional username and password. During a conversation about this subject with my good friend Michael Banks he mentioned his own use of multiple hardware security keys, which is to be expected from such a hardcore Security Practitioner.
This blog article is a quick guide on how to get a YubiKey working with Slackware Linux, however the process should work with most other distributions of Linux.
Below is an exerpt from /var/log/messages after the YubiKey is plugged into a USB slot:
new full-speed USB device number 12 using ehci-pci New USB device found, idVendor=1050, idProduct=0407 New USB device strings: Mfr=1, Product=2, SerialNumber=0 Product: Yubikey 4 OTP+U2F+CCID Manufacturer: Yubico
Take note of the idVendor and idProduct fields. They need to be present in the udev rule file that can be acquired from the Yubico Github.
You will need to append the group and mode permissions attributes.
# Yubico YubiKey
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", \
ATTRS{idVendor}=="1050", \
ATTRS{idProduct}=="0113|0114|0115|0116|0120|0200|0402|0403|0406|0407|0410", \
GROUP="plugdev", MODE="0660"
Note: By default the owner and group are set to the root user for removable devices.
Place the modified file under /etc/udev/rules.d/ then restart udev and optionally trigger the rule:
root@labs# udevadm control --reload-rules && udevadm trigger
Now visit your sensitive accounts that support hardware security keys and configure them accordingly.
Thanks for reading.