From ArchWiki
Jump to navigation Jump to search

Updated Two-factor authentication with SSH

I've updated the section to match how yubico-pam's configuration currently works. The instructions are mostly taken from and , this is how I set up my machine.

The default Yubico server is contacted over https. Still, the documentation suggests using the API ID instead of id=1, but no API key, which to me seems like a semi-HMAC way of doing things. Should I change the section for general PAM setup accordingly? Would mean that users will generally have to generate the key pair.

Lcts (talk) 17:47, 14 April 2017 (UTC)

I've left it at id=APIID for now, just in case id=1 is insecure. It makes the two sections kind of identical, but I don't know enough about HMAC/https to decide if id=1 is OK. Please advise. Lcts (talk) 18:25, 14 April 2017 (UTC)
For completeness sake, I added the id=1 way of connecting back in - it might be of interest for people planning to set up their own servers - but added a warning. If someone knows that the warning is unwarrented, they should feel free to remove it.
I still don't really see the point of using the Client ID without the key in Yubico's default, but if that's how they advise to do it, OK. As of now, all three methods work even if the Yubico documentation only describes the first. Lcts (talk) 14:49, 15 April 2017 (UTC)

Incorrect information regarding required YubiKey version for PIV

The article mentions in two places that a YubiKey 4 or later is required for PIV support. "Starting from the fourth generation devices, the Yubikeys contain a PIV (Personal Identity Verification) application on the chip." and "A YubiKey with the PIV (Personal Identification Verification) application is required; this means you need a YubiKey 4 or later."

This is incorrect, however, as the older YubiKey NEO and NEO-n also include a PIV applet. This can be confirmed here, and I've also had it confirmed by their tech support. In addition, other sites such as the Debian wiki also mention that both NEO models can be used

The only limitation on the NEO keys is that they are limited to RSA only, whereas the 4 series also support ECC.

Is there a particular reason that I may not know about why the articles mentions that a YubiKey 4 or later is required? Aerion (talk) 17:32, 8 February 2019 (UTC)

No, there is no special reason. The page was wrong.
Jmyreen (talk) 09:39, 25 January 2020 (UTC)

Incorrect information regarding required full disk encryption

The article says: As of December 2019 `sd-encrypt` enabled boot is not supported by yubikey-full-disk-encryption.

This is correct. But sd-encrypt enabled full disk encryption works great using aur/mkinitcpio-ykfde. This is a important information for new YubiKey owners! Grunix (talk) 22:28, 21 January 2020 (UTC)

Could you please update the wiki page with information how to configure full disk encryption with that AUR package? Anatolik (talk) 22:43, 21 January 2020 (UTC)

Please check, this is my first edit. Grunix (talk) 14:28, 22 January 2020 (UTC)

Improve udev example rule

The example udev rule only covered YubiKey 4 and one model ID. I've expanded that rule to include all model IDs taken from this link.

Move content to U2F article

There now is also a page Universal 2nd Factor. Content that doesn't depend on the type of key but works for all U2F keys should be moved there to avoid duplication and chaos and also help people with other kinds of U2F devices. That seems to be the case for section 4 and 6.3 and maybe also 5.3 and 6.1? The general article should therefore be linked in a "related box". Do you agree? -- Nudin (talk) 12:06, 17 June 2020 (UTC)

If you think so, please do so! -- Blackteahamburger (talk) 12:11, 17 June 2020 (UTC)