Exploring the use of YubiKeys in Fedora Linux

I’m currently exploring the use-cases for YubiKeys in the context of my role as CTO at othermo GmbH. As most of my day-job work feeds back into my personal life and vice-versa I’ve started using YubiKeys on my personal infrastructure and workstation as well.

Personally it’s more “because I can” than actual security considerations. I’m using software based 2FA and a password manager already and don’t operate sexy-to-hack infrastructure. Still I’m sleeping a bit easier knowing that my secrets are stored on the key and can’t be extracted by some rouge app on my workstation.

At work it’s a bit different. I’m planning a role out for the whole company for different purposes. Foremost because it makes it easier to account for existing copies of secrets and to increase protection of overall system access of a broad and hard to control malware susceptible attack surface - users / employees client machines.

What is a YubiKey anyway?

A YubiKey is a hardware security token, a physical storage device for credentials, sold by a company named Yubico. These devices are fairly temper resistant and employ a design which shall ensure access security to the stored secrets.

YubiKeys come in different flavours of connectors and feature sets. In this post I’m referring to the 5C NFC model which connects via USB C or NFC. This is relevant regarding the available features I’m going to introduce / use.

Configure a backup key - I mean it

As these hardware tokens are unique by design it is pretty easy to lock yourself out of everything should you loose the key in any way. I can’t stress on this fact enough. Therefore I always have a second key ready for registration to services or generating private keys which is always kept somewhere safe.

Use-cases

Use-cases I have identified so far:

I’m currently making heavy use of the key for authenticating sudo, managing my OpenSSH keys and using it as an additional factor in web authentication. Regarding Timed-One-Time-Passwords (TOTP), which is the de-facto standard for 2FA I only use the key for the most important services, as it’s storage capacity for those credentials is limited to 32.

Especially sudo authentication is useful to me if the lid of my notebook is closed and my fingerprint ready is not accessible.

I don’t use the key for login to my Fedora Workstation though, opposed to my fingerprint, as I don’t want login to my workstation possible with the press of a button when I’m not around. With the fingerprint you’ll at least have to get a sample of and replicate it.

Management of OpenSSH credentials includes keeping my private keys safe and thus securing logins via SSH, including access to git repositories, as well as signatures of my git operations as I’m making use of the git-sign feature using OpenSSH keys.

Features

Yubico offers multiple models of the YubiKey with different connectors (USB A/C, NFC) and supported features. Depending on the model the device can be used for a variety of things. Let me give you a little run-down on what features there are and what use-cases each feature is suited for. I’ll simply name the features without going into detail on how they work.

With OTP you can:

The OATH TOTP feature is an alternative to Google Authenticator (or AndOTP).

The PIV module let’s you:

With FIDO U2F you can use the key as second-factor in web browser authentication flows. The web page or more specifically the browser will ask you to insert the key and press the button on login if you configured the key as second-factor. This is an alternative to OTP that does not require you to lookup a 6 digit code in an Authenticator-App.

In the FIDO2 / WebAuthn module you can store SSH public keys or register your smart card as a password-less authentication method at supporting services, opposed to it being “just” a second factor alongside a password.

Storage limitations

For some features private keys and other secrets are stored on the YubiKey. Each feature has it’s own storage space and hence maximum number of credential slots:

Updating the Fedora Quick-Docs

As part of my work-related research and experiments I’m also writing an article for the FedoraMagazine and I wrote an update to the Fedora Quick-Docs, as those are quite dated by now. There I took a bit more time and effort to go into this topic.

Any thoughts of your own?

Feel free to raise a discussion with me on Mastodon or drop me an email.

Licenses

The text of this post is licensed under the Attribution 4.0 International License (CC BY 4.0). You may Share or Adapt given the appropriate Credit.

Any source code in this post is licensed under the MIT license.