From ArchWiki
Latest comment: 25 October 2023 by Toorero in topic Authenticator

Updated Two-factor authentication with SSH

I've updated the section to match how yubico-pam's configuration currently works. The instructions are mostly taken from and , this is how I set up my machine.

The default Yubico server is contacted over https. Still, the documentation suggests using the API ID instead of id=1, but no API key, which to me seems like a semi-HMAC way of doing things. Should I change the section for general PAM setup accordingly? Would mean that users will generally have to generate the key pair.

Lcts (talk) 17:47, 14 April 2017 (UTC)Reply[reply]

I've left it at id=APIID for now, just in case id=1 is insecure. It makes the two sections kind of identical, but I don't know enough about HMAC/https to decide if id=1 is OK. Please advise. Lcts (talk) 18:25, 14 April 2017 (UTC)Reply[reply]
For completeness sake, I added the id=1 way of connecting back in - it might be of interest for people planning to set up their own servers - but added a warning. If someone knows that the warning is unwarrented, they should feel free to remove it.
I still don't really see the point of using the Client ID without the key in Yubico's default, but if that's how they advise to do it, OK. As of now, all three methods work even if the Yubico documentation only describes the first. Lcts (talk) 14:49, 15 April 2017 (UTC)Reply[reply]

Move content to U2F article

There now is also a page Universal 2nd Factor. Content that doesn't depend on the type of key but works for all U2F keys should be moved there to avoid duplication and chaos and also help people with other kinds of U2F devices. That seems to be the case for section 4 and 6.3 and maybe also 5.3 and 6.1? The general article should therefore be linked in a "related box". Do you agree? -- Nudin (talk) 12:06, 17 June 2020 (UTC)Reply[reply]

If you think so, please do so! -- Blackteahamburger (talk) 12:11, 17 June 2020 (UTC)Reply[reply]

Section Overhauls

Apologies for not bringing this up before making changes, as I should have. I didn't familiarize myself with the contributing guidelines and just started chopping. I'm doing this because I recently got a new yubikey, and there were several things about this article which tripped me up trying to understand it. I'm hoping to make it easier for the next person.

What's been done

I've largely rewritten the introduction and section on One-time-passwords with the following goals:

  • Start with a high-level overview of the topic, and then go into progressively greater detail. (Start with an overview of the yubikey's capabilities, then cover its inputs and outputs, then go into detail on each specific mode.)
  • Consolidate related information into relevant sections. It was scattered, which made it difficult to understand which features and limitations were related to which modes. (For example, the "two slots" section was in the introduction, when the two slots are exclusively for the OTP mode. They have nothing to do with U2F or RSA keys.)
  • Reduce wordiness - There were several opportunities to improve succinctness.
  • Reduce repetition - There were a few sentences repeated nearly word-for-word in different places.
  • Improve Language and style.
  • Add OTP instructions for static passwords
  • Add OTP instructions for OATH
  • Improve challenge-response instructions. Update the examples to use ykman instead of ykpersonalize, as that's what the other examples use and its syntax is much more readable.
  • Expand the U2F section
  • Expand the OpenPGP section (Just a few sentences, no need to rewrite the GPG smartcard article here.)
    • Move SSH instructions to the 'Tips and tricks' section with the other examples.
  • Extract "How to use a yubikey with X" to its own section
  • Improve the "Yubikey and" section
    • When explaining how to use a yubikey with some software or service, start with which modes & features can be used to accomplish it.
    • In general, provide links to instructions rather than the instructions themselves.
    • The 'Two-factor authentication with SSH' section is really 'Yubikey and PAM'. It's not specific to SSH, the same instructions can be used for anything which uses PAM for authentication. There's also the possibility to use challenge-response instead of Yubico OTP, removing the requirement for an external server, which should be documented.

What's left to do

  • Add some sources to the PIV section.
  • Improve some of the more hacky troubleshooting and maintenance instructions

Rbuchberger (talk) 09:48, 22 October 2020 (UTC)Reply[reply]

Regarding the "Yubikey and" section, I think it is not maintainable to repeat step-by-step instructions for every possible use of a yubikey here. Instead, we should offer an overview of the possibilities (along with their advantages and disadvantages), along with links to instructions where they exist elsewhere. Only provide step-by-step instructions when they don't exist anywhere else, and even then we should consider whether some other page is the right place (in other words, is it specific to the Yubikey?)
Rbuchberger (talk) 12:46, 25 October 2020 (UTC)Reply[reply]
Updated todo list
Rbuchberger (talk) 12:46, 31 October 2020 (UTC)Reply[reply]


This page mentions the old non-flutter authenticator desktop app, but Yubikey doesn't seem mention it or support it anywhere, see the links on this page. Anecdotally, it didn't work with my Yubikey 5C NFC. Maybe this old application should not be mentioned so prominently?

The Legacy Yubico Authenticator isn't working for me with my YubiKey 5C NFC either. I wouldn't say the linked site states that the version is incompatible. I would favour the solution that yubioath-desktop would be upgraded to version 6 (already flagged out-of-date). Maybe clearly indicating that the package is out-of-date, and that it is advised to use the up-to-date yubico-authenticator-binAUR for now instead if you run into errors, would help.
Toorero (talk) 15:43, 25 October 2023 (UTC)Reply[reply]