Updated Two-factor authentication with SSH
I've updated the section to match how yubico-pam's configuration currently works. The instructions are mostly taken from https://developers.yubico.com/yubico-pam/ and https://developers.yubico.com/yubico-pam/Yubikey_and_SSH_via_PAM.html , this is how I set up my machine.
The default Yubico server is contacted over https. Still, the documentation suggests using the API ID instead of id=1, but no API key, which to me seems like a semi-HMAC way of doing things. Should I change the section for general PAM setup accordingly? Would mean that users will generally have to generate the key pair.
- I've left it at id=APIID for now, just in case id=1 is insecure. It makes the two sections kind of identical, but I don't know enough about HMAC/https to decide if id=1 is OK. Please advise. Lcts (talk) 18:25, 14 April 2017 (UTC)
- For completeness sake, I added the
id=1way of connecting back in - it might be of interest for people planning to set up their own servers - but added a warning. If someone knows that the warning is unwarrented, they should feel free to remove it.
- For completeness sake, I added the
Move content to U2F article
There now is also a page Universal 2nd Factor. Content that doesn't depend on the type of key but works for all U2F keys should be moved there to avoid duplication and chaos and also help people with other kinds of U2F devices. That seems to be the case for section 4 and 6.3 and maybe also 5.3 and 6.1? The general article should therefore be linked in a "related box". Do you agree? -- Nudin (talk) 12:06, 17 June 2020 (UTC)
Apologies for not bringing this up before making changes, as I should have. I didn't familiarize myself with the contributing guidelines and just started chopping. I'm doing this because I recently got a new yubikey, and there were several things about this article which tripped me up trying to understand it. I'm hoping to make it easier for the next person.
What's been done
I've largely rewritten the introduction and section on One-time-passwords with the following goals:
- Start with a high-level overview of the topic, and then go into progressively greater detail. (Start with an overview of the yubikey's capabilities, then cover its inputs and outputs, then go into detail on each specific mode.)
- Consolidate related information into relevant sections. It was scattered, which made it difficult to understand which features and limitations were related to which modes. (For example, the "two slots" section was in the introduction, when the two slots are exclusively for the OTP mode. They have nothing to do with U2F or RSA keys.)
- Reduce wordiness - There were several opportunities to improve succinctness.
- Reduce repetition - There were a few sentences repeated nearly word-for-word in different places.
- Improve Language and style.
- Add OTP instructions for static passwords
- Add OTP instructions for OATH
- Improve challenge-response instructions. Update the examples to use ykman instead of ykpersonalize, as that's what the other examples use and its syntax is much more readable.
- Expand the U2F section
- Expand the OpenPGP section (Just a few sentences, no need to rewrite the GPG smartcard article here.)
- Move SSH instructions to the 'Tips and tricks' section with the other examples.
- Extract "How to use a yubikey with X" to its own section
- Improve the "Yubikey and" section
- When explaining how to use a yubikey with some software or service, start with which modes & features can be used to accomplish it.
- In general, provide links to instructions rather than the instructions themselves.
- The 'Two-factor authentication with SSH' section is really 'Yubikey and PAM'. It's not specific to SSH, the same instructions can be used for anything which uses PAM for authentication. There's also the possibility to use challenge-response instead of Yubico OTP, removing the requirement for an external server, which should be documented.
What's left to do
- Add some sources to the PIV section.
- Improve some of the more hacky troubleshooting and maintenance instructions
- Regarding the "Yubikey and" section, I think it is not maintainable to repeat step-by-step instructions for every possible use of a yubikey here. Instead, we should offer an overview of the possibilities (along with their advantages and disadvantages), along with links to instructions where they exist elsewhere. Only provide step-by-step instructions when they don't exist anywhere else, and even then we should consider whether some other page is the right place (in other words, is it specific to the Yubikey?)
This page mentions the old non-flutter authenticator desktop app, but Yubikey doesn't seem mention it or support it anywhere, see the links on this page. Anecdotally, it didn't work with my Yubikey 5C NFC. Maybe this old application should not be mentioned so prominently?
- The Legacy Yubico Authenticator isn't working for me with my YubiKey 5C NFC either. I wouldn't say the linked site states that the version is incompatible. I would favour the solution that would be upgraded to version 6 (already flagged out-of-date). Maybe clearly indicating that the package is out-of-date, and that it is advised to use the up-to-date AUR for now instead if you run into errors, would help.
- Toorero (talk) 15:43, 25 October 2023 (UTC)