Configuring YubiKey for Challenge-Response with YubiKey Manager (ykman)
YubiKeys are popular hardware security keys for multi-factor authentication, passwordless login, and cryptographic operations. YubiKey Manager (ykman
) is a versatile command-line tool that helps manage YubiKeys and configure various features, such as OTP (One-Time Passwords), FIDO2, OpenPGP, and more.
In this blog, we’ll walk through installing ykman
, configuring the system to support smart card (CCID) functionality, and setting up YubiKey’s OTP Challenge-Response mechanism on Slot 2 with a custom secret key.
Prerequisites
Before you proceed, ensure you have:
- A YubiKey (any model that supports OTP)
- A Linux-based system (although similar commands apply for macOS and Windows)
- Administrative privileges (i.e.,
sudo
access)
Step 1: Install YubiKey Manager (ykman
)
The easiest way to install ykman
is through the Snap package system. Open your terminal and run the following command:
sudo snap install ykman
Snap packages offer the advantage of being automatically updated, and the installation process is streamlined across different Linux distributions.
Step 2: Install PC/SC Daemon (for Smart Card Functionality)
YubiKey’s advanced features such as PIV (Personal Identity Verification), OpenPGP, and OATH require the PC/SC daemon (pcscd
). This daemon handles smart card communication and is crucial if you plan to use your YubiKey as a smart card device.
To install pcscd
, run the following command:
sudo apt-get install pcscd
Once installed, ensure that the service is running:
sudo systemctl start pcscd
sudo systemctl enable pcscd
This ensures that the PC/SC daemon starts on boot and is ready to handle YubiKey interactions that require smart card protocols.
Step 3: Configure YubiKey OTP Slot 2 for Challenge-Response
YubiKeys supports OTP in two different slots. By default, Slot 1 is often used for standard Yubico OTP, while Slot 2 can be configured for custom purposes, such as Challenge-Response.
In this example, we will configure Slot 2 with a custom secret key for Challenge-Response using HMAC-SHA1. This key can be used in scenarios such as system authentication, password managers, or other cryptographic operations.
Generate or Define a Secret Key
For Challenge-Response to work, you need a 20-byte secret key in hexadecimal format. You can either generate this key yourself or use a tool like OpenSSL:
openssl rand -hex 20
Ensure you securely store this secret key, as it will be used for Challenge-Response authentication.
Configure Slot 2 with the Secret Key
To configure the secret key for Challenge-Response in Slot 2, use the following ykman
command. Replace the example key with your own 20-byte key:
ykman otp chalresp 2 00112233445566778899aabbccddeeff00112233
otp chalresp
tells YubiKey Manager that we are configuring OTP Challenge-Response.2
indicates Slot 2.- The hexadecimal string
00112233445566778899aabbccddeeff00112233
is your secret key.
Once this command runs successfully, your YubiKey is ready for Challenge-Response authentication in Slot 2.
Step 4: Verify the Configuration
To ensure that the configuration was successful, you can check the YubiKey’s slot status with the following command:
ykman otp info
This command will display information about both Slot 1 and Slot 2, allowing you to verify that Slot 2 has been configured for Challenge-Response using HMAC-SHA1.
Conclusion
You have now successfully installed ykman
, configured your system for smart card support with pcscd
, and set up Slot 2 on your YubiKey for OTP Challenge-Response using a custom secret key. This setup is valuable for integrating YubiKey into secure systems, password managers, and custom cryptographic workflows.
By leveraging ykman
, you unlock a wide range of features in your YubiKey, making it a powerful tool for authentication and security.
For further reading on YubiKey and its capabilities, you can explore the official Yubico documentation.
Common Issues
- PC/SC Not Available: If you encounter the warning
PC/SC not available. Smart card (CCID) protocols will not function.
, ensure that thepcscd
service is installed and running. You can restart it using:
sudo systemctl restart pcscd
- Permission Denied: If you experience permission issues when running
ykman
, ensure that your user has access to USB devices, or try running the command withsudo
.
With this setup, your YubiKey is now ready to provide robust security for your systems and applications!