yubico

Configuring YubiKey for Challenge-Response with YubiKey Manager (ykman)

 in Bash / GNU/Linux  tagged bash / GNU/Linux / ubuntu / ykman / yubi / yubico / yubikey by

YubiKeys are popular hardware security keys for multi-factor authentication, passwordless login, and cryptographic operations. YubiKey Manager (ykman) is a versatile command-line tool that helps manage YubiKeys and configure various features, such as OTP (One-Time Passwords), FIDO2, OpenPGP, and more.

In this blog, we’ll walk through installing ykman, configuring the system to support smart card (CCID) functionality, and setting up YubiKey’s OTP Challenge-Response mechanism on Slot 2 with a custom secret key.

Prerequisites

Before you proceed, ensure you have:

  • A YubiKey (any model that supports OTP)
  • A Linux-based system (although similar commands apply for macOS and Windows)
  • Administrative privileges (i.e., sudo access)

Step 1: Install YubiKey Manager (ykman)

The easiest way to install ykman is through the Snap package system. Open your terminal and run the following command:

1
sudo snap install ykman

Snap packages offer the advantage of being automatically updated, and the installation process is streamlined across different Linux distributions.

Step 2: Install PC/SC Daemon (for Smart Card Functionality)

YubiKey’s advanced features such as PIV (Personal Identity Verification), OpenPGP, and OATH require the PC/SC daemon (pcscd). This daemon handles smart card communication and is crucial if you plan to use your YubiKey as a smart card device.

To install pcscd, run the following command:

1
sudo apt-get install pcscd

Once installed, ensure that the service is running:

1
2
sudo systemctl start pcscd
sudo systemctl enable pcscd

This ensures that the PC/SC daemon starts on boot and is ready to handle YubiKey interactions that require smart card protocols.

Step 3: Configure YubiKey OTP Slot 2 for Challenge-Response

YubiKeys supports OTP in two different slots. By default, Slot 1 is often used for standard Yubico OTP, while Slot 2 can be configured for custom purposes, such as Challenge-Response.

In this example, we will configure Slot 2 with a custom secret key for Challenge-Response using HMAC-SHA1. This key can be used in scenarios such as system authentication, password managers, or other cryptographic operations.

Generate or Define a Secret Key

For Challenge-Response to work, you need a 20-byte secret key in hexadecimal format. You can either generate this key yourself or use a tool like OpenSSL:

1
openssl rand -hex 20

Ensure you securely store this secret key, as it will be used for Challenge-Response authentication.

Configure Slot 2 with the Secret Key

To configure the secret key for Challenge-Response in Slot 2, use the following ykman command. Replace the example key with your own 20-byte key:

1
ykman otp chalresp 2 00112233445566778899aabbccddeeff00112233
  • otp chalresp tells YubiKey Manager that we are configuring OTP Challenge-Response.
  • 2 indicates Slot 2.
  • The hexadecimal string 00112233445566778899aabbccddeeff00112233 is your secret key.

Once this command runs successfully, your YubiKey is ready for Challenge-Response authentication in Slot 2.

Step 4: Verify the Configuration

To ensure that the configuration was successful, you can check the YubiKey’s slot status with the following command:

1
ykman otp info

This command will display information about both Slot 1 and Slot 2, allowing you to verify that Slot 2 has been configured for Challenge-Response using HMAC-SHA1.

Conclusion

You have now successfully installed ykman, configured your system for smart card support with pcscd, and set up Slot 2 on your YubiKey for OTP Challenge-Response using a custom secret key. This setup is valuable for integrating YubiKey into secure systems, password managers, and custom cryptographic workflows.

By leveraging ykman, you unlock a wide range of features in your YubiKey, making it a powerful tool for authentication and security.

For further reading on YubiKey and its capabilities, you can explore the official Yubico documentation.

Common Issues

  1. PC/SC Not Available: If you encounter the warning PC/SC not available. Smart card (CCID) protocols will not function., ensure that the pcscd service is installed and running. You can restart it using:
1
sudo systemctl restart pcscd
  1. Permission Denied: If you experience permission issues when running ykman, ensure that your user has access to USB devices, or try running the command with sudo.

With this setup, your YubiKey is now ready to provide robust security for your systems and applications!

A Pixar-style movie poster featuring a 3D animated girl with an adventurous spirit, standing proudly on the peak of a high, rocky mountain holding the Cyprus flag. Her hair is styled in a playful, windswept manner, and her outfit reflects the colors of the flag. Next to her is a faithful companion, a large, endearing mouflon goat with detailed fur texture and expressive eyes, both looking out over the vast landscape.

Compiling the latest version of YubiKey Personalization Tool on Ubuntu 18.04 LTS

 in GNU/Linux  tagged 2FA / personalization tool / ubuntu / ykpersonalize / yubico / yubikey / yubikey-personalization-gui by

Recently, we were got our hands on some YubiKeys, and we decided to use them to create a Two Factor Authentication System (2FA) for the fun of it! We had at our disposal an updated Ubuntu 18.04 LTS so we installed the personalization tools from the official repositories in order to modify the behavior and configure the YubiKeys.

To our disappointment, when we used ykpersonalize and yubikey-personalization-gui we would get an error that the firmware of the YubiKey was unknown…
At the time, the installation packages from the official Ubuntu repositories had version 3.1.24 for the application version and 1.18.0 for the library version.

We noticed that on the YubiKey Personalization Tools page there were newer versions of both the application and the library. Specifically at the time the Application version was 3.1.26 and the Library Version was 1.19.0. Since both were newer than the versions in the repositories we decided to build them and see if they work right with our YubiKeys.

The instructions in the respective installers, were not 100% complete and the installations failed by blindly following them. To actually make the installations work, we installed the following dependencies and tools before compiling:

1
2
3
4
sudo apt update -y;
sudo apt upgrade -y;
sudo apt install build-essential -y;
sudo apt-get install pkg-config git autoconf libtool asciidoc-base -y;

After installing the above packages the rest of the installation went smoothly.

Installing the command line tools and the library

1
2
3
4
5
6
7
cd ~; # or any other folder of your choice
sudo apt-get install libykpers-1-dev libyubikey-dev libusb-1.0-0-dev libjson-c-dev -y;
git clone https://github.com/Yubico/yubikey-personalization.git;
cd yubikey-personalization;
autoreconf --install;
./configure;
sudo make check install;

Installing the Qt based Cross-Platform YubiKey Personalization Tool

1
2
3
4
5
cd ~; # or any other folder of your choice
sudo apt-get install qt4-qmake libqt4-dev -y;
git clone https://github.com/Yubico/yubikey-personalization-gui.git;
cd yubikey-personalization-gui;
qmake && make;