Exploring the use of YubiKeys in Fedora Linux

I’m currently exploring the use-cases for YubiKeys in the context of my role as CTO at othermo GmbH. As most of my day-job work feeds back into my personal life and vice-versa I’ve started using YubiKeys on my personal infrastructure and workstation as well.

Personally it’s more “because I can” than actual security considerations. I’m using software based 2FA and a password manager already and don’t operate sexy-to-hack infrastructure. Still I’m sleeping a bit easier knowing that my secrets are stored on the key and can’t be extracted by some rouge app on my workstation.

At work it’s a bit different. I’m planning a role out for the whole company for different purposes. Foremost because it makes it easier to account for existing copies of secrets and to increase protection of overall system access of a broad and hard to control malware susceptible attack surface - users / employees client machines.

What is a YubiKey anyway?

A YubiKey is a hardware security token, a physical storage device for credentials, sold by a company named Yubico. These devices are fairly temper resistant and employ a design which shall ensure access security to the stored secrets.

YubiKeys come in different flavours of connectors and feature sets. In this post I’m referring to the 5C NFC model which connects via USB C or NFC. This is relevant regarding the available features I’m going to introduce / use.

Configure a backup key - I mean it

As these hardware tokens are unique by design it is pretty easy to lock yourself out of everything should you loose the key in any way. I can’t stress on this fact enough. Therefore I always have a second key ready for registration to services or generating private keys which is always kept somewhere safe.

Use-cases

Use-cases I have identified so far:

• Login to Fedora Linux Workstation (using PAM)
• Authenticating sudo
• Managing OpenSSH private keys
• MFA for web services
• OpenPGP encryption, authentication and signing
• Decrypting LUKS partitions

I’m currently making heavy use of the key for authenticating sudo, managing my OpenSSH keys and using it as an additional factor in web authentication. Regarding Timed-One-Time-Passwords (TOTP), which is the de-facto standard for 2FA I only use the key for the most important services, as it’s storage capacity for those credentials is limited to 32.

Especially sudo authentication is useful to me if the lid of my notebook is closed and my fingerprint ready is not accessible.

I don’t use the key for login to my Fedora Workstation though, opposed to my fingerprint, as I don’t want login to my workstation possible with the press of a button when I’m not around. With the fingerprint you’ll at least have to get a sample of and replicate it.

Management of OpenSSH credentials includes keeping my private keys safe and thus securing logins via SSH, including access to git repositories, as well as signatures of my git operations as I’m making use of the git-sign feature using OpenSSH keys.

Features

Yubico offers multiple models of the YubiKey with different connectors (USB A/C, NFC) and supported features. Depending on the model the device can be used for a variety of things. Let me give you a little run-down on what features there are and what use-cases each feature is suited for. I’ll simply name the features without going into detail on how they work.

With OTP you can:

• Log into the system via terminal
• Log into GDM
• Authenticate sudo

The OATH TOTP feature is an alternative to Google Authenticator (or AndOTP).

The PIV module let’s you:

• Store OpenSSL certificates and private keys
• Store OpenSSH private keys

With FIDO U2F you can use the key as second-factor in web browser authentication flows. The web page or more specifically the browser will ask you to insert the key and press the button on login if you configured the key as second-factor. This is an alternative to OTP that does not require you to lookup a 6 digit code in an Authenticator-App.

In the FIDO2 / WebAuthn module you can store SSH public keys or register your smart card as a password-less authentication method at supporting services, opposed to it being “just” a second factor alongside a password.

Storage limitations

For some features private keys and other secrets are stored on the YubiKey. Each feature has it’s own storage space and hence maximum number of credential slots:

• OTP – Unlimited, as only one secret per key is required
• FIDO U2F – Unlimited, as only one secret per key is required
• FIDO2 – 25 credentials / identities
• OATH – 32 credentials
• PIV – 24 x509 certificates and their respective private keys
• OpenPGP – 3 keys; one for encryption, signing and authentication each

Updating the Fedora Quick-Docs

As part of my work-related research and experiments I’m also writing an article for the FedoraMagazine and I wrote an update to the Fedora Quick-Docs, as those are quite dated by now. There I took a bit more time and effort to go into this topic.