Talk:YubiKey

From ArchWiki
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Updated Two-factor authentication with SSH

I've updated the section to match how yubico-pam's configuration currently works. The instructions are mostly taken from https://developers.yubico.com/yubico-pam/ and https://developers.yubico.com/yubico-pam/Yubikey_and_SSH_via_PAM.html , this is how I set up my machine.

The default Yubico server is contacted over https. Still, the documentation suggests using the API ID instead of id=1, but no API key, which to me seems like a semi-HMAC way of doing things. Should I change the section for general PAM setup accordingly? Would mean that users will generally have to generate the key pair.

Lcts (talk) 17:47, 14 April 2017 (UTC)

I've left it at id=APIID for now, just in case id=1 is insecure. It makes the two sections kind of identical, but I don't know enough about HMAC/https to decide if id=1 is OK. Please advise. Lcts (talk) 18:25, 14 April 2017 (UTC)
For completeness sake, I added the id=1 way of connecting back in - it might be of interest for people planning to set up their own servers - but added a warning. If someone knows that the warning is unwarrented, they should feel free to remove it.
I still don't really see the point of using the Client ID without the key in Yubico's default, but if that's how they advise to do it, OK. As of now, all three methods work even if the Yubico documentation only describes the first. Lcts (talk) 14:49, 15 April 2017 (UTC)

Incorrect information regarding required YubiKey version for PIV

The article mentions in two places that a YubiKey 4 or later is required for PIV support. "Starting from the fourth generation devices, the Yubikeys contain a PIV (Personal Identity Verification) application on the chip." and "A YubiKey with the PIV (Personal Identification Verification) application is required; this means you need a YubiKey 4 or later."

This is incorrect, however, as the older YubiKey NEO and NEO-n also include a PIV applet. This can be confirmed here https://www.yubico.com/products/yubikey-hardware/compare-yubikey-4-neo/, https://support.yubico.com/support/solutions/articles/15000006494-yubikey-neo and https://support.yubico.com/support/solutions/articles/15000006495-yubikey-neo-n. I've also had it confirmed by their tech support. In addition, other sites such as the Debian wiki also mention that both NEO models can be used https://wiki.debian.org/DebianSingleSignOn#Use_with_a_Yubikey_in_PIV_mode

The only limitation on the NEO keys is that they are limited to RSA only, whereas the 4 series also support ECC.

Is there a particular reason that I may not know about why the articles mentions that a YubiKey 4 or later is required? Aerion (talk) 17:32, 8 February 2019 (UTC)