I have [setup](https://gist.github.com/pavinjosdev/0d7ade586e4b4a33d03a19c7684e78ce) the PAM module pam_u2f.so for FIDO2 as the primary authentication method on my LMDE 5 (based on Debian 11) machine. Is there a way to integrate passkey support with this PAM module or with another? Specifically I'm looking for the ability to use Google [passkeys](https://passkeys.dev/device-support/) in addition to my hardware security key (Yubikey). There are several advantages to using a passkey from Google/Apple with the potential privacy downside: 1. The credentials are tied to the Google account and synced across all Google devices, so any device can be used as an authenticator 2. Not tied to a physical object that can be lost/stolen 3. Main point for lazy me: no need to remove a lost/stolen/damaged key from every website and device it's configured on The Chrome browser on Linux sends a push notification via Bluetooth to a nearby Android smartphone for FIDO2/WebAuthn registration/authentication. Can the pam_u2f.so module (or another one) be configured to send a similar request and receive its response instead of relying on a locally connected USB security key?

I experimented on a Ubuntu 19.04 system a bit and took a look here: https://schulz.dk/2019/08/23/using-solokey-for-linux-login/ and here: https://wiki.gnome.org/Projects/GnomeKeyring/Pam#Advanced_configuration After this created a file named common-fido-auth and included it in /etc/pam.d/sudo and /etc/pam.d/gdm-password The last one looks like this #%PAM-1.0 session required pam_env.so readenv=1 user_readenv=0 session required pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0 @include common-fido-auth #instead of @include common-auth @include common-account @include common-session-noninteractive I assumed that common-auth has modules which unlocks the gnome keyring and copied some lines from common-auth auth include common-fido auth requisite pam_deny.so auth required pam_permit.so auth optional pam_cap.so Where as common-fido looks like auth sufficient pam_u2f.so auth [success=1 default=ignore] pam_unix.so nullok_secure But it seems to be wrong. The pam_unix.so is not interpereted properly and with the Solokey I have to type in my password for the Gnome Keyring Has someone any ideas?

I have a server with Google Authentication + PAM set up so it requires a TOTP when connecting to it through SSH. But I would like to make an exception for SSH keys that are stored in a security key, is this possible? [This question](https://unix.stackexchange.com/questions/612443/help-with-bypassing-ssh-2-factor-authentication-when-on-same-local-network-macos) made me think that it is possible to have a separate authorized_keys for these exceptions and control this via PAM, but I don't know if it's possible to switch between them.

A FIDO2 security token should be used for decrypting all disks in a linux machine at boot. systemd allows this since version 248. Can the FIDO2 Security Token be removed after boot when using LUKS for full disk encryption, or does it need to remain plugged in for the disk to be usable for read/write operations?

I have bought a FIDO-U2F/FIDO2 usb security token and managed to add it as passkey for github on my macOS (sonoma). It didn't work for another site and I suspect that it's because the key doesn't have a PIN yet. It is possible to set the key PIN with the fido2-token command provided with libfido2 that can be installed with brew on macOS. But it requires a device name as argument and I don't know what device name to use. On linux we have to add a user device and the key seller gives the recipe to do so, but they don't provide any info for macOS. Windows provide a GUI interface in the system parameters to set the key PIN, but I would prefer avoiding to use a Window machine to do this. **EDIT 1**: Since I posted the question, I found out that you can see the connected usb devices by go into Apple icon > About This Mac > More Info > System Report > USB. The path might be slightly different in your version. I do see the key listed there, as I did see it too with lsusb installed with brew, but it doesn't show the /dev I could use to talk to it.

I am using a FIDO2 key to login into my KDE session, but then KDE wallet asks for a password. I am using it and find it quite useful to keep keys, ssh passwords, etc in one place. Is there a way to unlock it with FIDO2 key? Or may be there is a replacement wallet that works with FIDO2 ?

I've setup luks volume unlocking with FIDO2 along with recovery key using sd-cryptenroll:

systemd-cryptenroll --fido2-device=auto /dev/my-luks-device

Slots are configured as following:

SLOT TYPE    
   1 recovery
   3 fido2

Everything works fine, but in a weird way: on boot I get asked for the recovery key first, then I hit enter a couple of times, basically failing the recovery key, and only then I get prompted for fido2 with user presence. I wonder if it's something to do with the slot order, although the man page doesn't mention anything about that. I've actually setup TPM2 unlocking before trying FIDO, and even if TPM was set to slot 2 I was never asked for recovery key first, so this might not be the issue here. Any help would be much appreciated, thanks!

I'm trying to use FIDO2 (YubiKey 5) with Fedora 36 to unlock the LUKS volume on system boot without success as it keeps asking for the regular LUKS passphrase and not using the token to unlock the LUKS volume. I followed Lennart Poettering's example on his blog and used systemd-cryptenroll to enrol the YubiKey and then modified the /etc/crypttab file with the appropriate config. cryptsetup luksDump shows the token is added to the LUKS header. However on system boot the Plymouth splash screen is displayed prompting for the regular LUKS passphrase to unlock the volume. I thought Plymouth might not be displaying the prompt to enter the FIDO2 PIN, so I removed and re-added the LUKS keyslot and token with extra parameters to not require user presence or PIN: systemd-cryptenroll --fido2-device=auto --fido2-with-user-verification=false --fido2-with-client-pin=false /dev/sda3 This still doesn't work and it still prompts for the LUKS passphrase. Fedora 36 is running systemd version 250. Any ideas why FIDO2 isn't working to unlock the LUKS volume?

I am trying to set up a passwordless login for Linux Mint 19.3, in order to be able to log in either with a Yubikey token or a password. I followed the instructions from Yubikey website and this thread , but I cannot make it work. Briefly, this is what I did: 1. sudo pamu2fcfg -u \whoami\ > /etc/Yubico/u2f_keys 2. In **/etc/pam.d/** I created **common-u2f** with the following content:

auth sufficient pam_u2f.so authfile=/etc/Yubico/u2f_keys debug debug_file=/var/log/pam_u2f.log authpending_file=/etc/Yubico/pam-u2f-authpending

3. I added

@include common-u2f

before

@include common-auth

in the following files: **lightdm**, **sudo**, **login**, **cinnamon-screensaver** Now, I can use command sudo, unlock the screen, and log in (only after logging out) with just my Yubikey. However, when I try to log in after reboot, something strange happen. I get the blinking light on the Yubikey, and after pressing it, the screen goes black as if it is going to bring up my desktop, but instead it goes back to the log in screen. So, basically, if I try to use Yubikey, it gets stuck in the log-in loop. To get out of it, I just have to remove the token and use my password. When I looked at the debug log, I saw that it tries to authenticate me twice. First time it succeeds, but second time it complains about u2f device not found. I don't know why it calls pam_u2f.so module twice after reboot, as for sudo, unlocking the screen, and logging in (after logging out), it only calls it once (as expected). Here is the content of the debug log:

debug(pam_u2f): ../pam-u2f.c:99 (parse_cfg): called.
debug(pam_u2f): ../pam-u2f.c:100 (parse_cfg): flags 0 argc 4
debug(pam_u2f): ../pam-u2f.c:102 (parse_cfg): argv=authfile=/etc/Yubico/u2f_keys
debug(pam_u2f): ../pam-u2f.c:102 (parse_cfg): argv[1] =debug
debug(pam_u2f): ../pam-u2f.c:102 (parse_cfg): argv[2] =debug_file=/var/log/pam_u2f.log
debug(pam_u2f): ../pam-u2f.c:102 (parse_cfg): argv=authpending_file=/etc/Yubico/pam-u2f-authpending
debug(pam_u2f): ../pam-u2f.c:104 (parse_cfg): max_devices=0
debug(pam_u2f): ../pam-u2f.c:105 (parse_cfg): debug=1
debug(pam_u2f): ../pam-u2f.c:106 (parse_cfg): interactive=0
debug(pam_u2f): ../pam-u2f.c:107 (parse_cfg): cue=0
debug(pam_u2f): ../pam-u2f.c:108 (parse_cfg): nodetect=0
debug(pam_u2f): ../pam-u2f.c:109 (parse_cfg): manual=0
debug(pam_u2f): ../pam-u2f.c:110 (parse_cfg): nouserok=0
debug(pam_u2f): ../pam-u2f.c:111 (parse_cfg): openasuser=0
debug(pam_u2f): ../pam-u2f.c:112 (parse_cfg): alwaysok=0
debug(pam_u2f): ../pam-u2f.c:113 (parse_cfg): authfile=/etc/Yubico/u2f_keys
debug(pam_u2f): ../pam-u2f.c:114 (parse_cfg): authpending_file=/etc/Yubico/pam-u2f-authpending
debug(pam_u2f): ../pam-u2f.c:115 (parse_cfg): origin=(null)
debug(pam_u2f): ../pam-u2f.c:116 (parse_cfg): appid=(null)
debug(pam_u2f): ../pam-u2f.c:117 (parse_cfg): prompt=(null)
debug(pam_u2f): ../pam-u2f.c:169 (pam_sm_authenticate): Origin not specified, using "pam://host1"
debug(pam_u2f): ../pam-u2f.c:181 (pam_sm_authenticate): Appid not specified, using the same value of origin (pam://host1)
debug(pam_u2f): ../pam-u2f.c:192 (pam_sm_authenticate): Maximum devices number not set. Using default (24)
debug(pam_u2f): ../pam-u2f.c:210 (pam_sm_authenticate): Requesting authentication for user user1
debug(pam_u2f): ../pam-u2f.c:221 (pam_sm_authenticate): Found user user1
debug(pam_u2f): ../pam-u2f.c:222 (pam_sm_authenticate): Home directory for user1 is /home/user1
debug(pam_u2f): ../pam-u2f.c:271 (pam_sm_authenticate): Using authentication file /etc/Yubico/u2f_keys
debug(pam_u2f): ../util.c:105 (get_devices_from_authfile): Authorization line: user1: 
debug(pam_u2f): ../util.c:110 (get_devices_from_authfile): Matched user: user1
debug(pam_u2f): ../util.c:137 (get_devices_from_authfile): KeyHandle for device number 1: 
debug(pam_u2f): ../util.c:156 (get_devices_from_authfile): publicKey for device number 1: 
debug(pam_u2f): ../util.c:167 (get_devices_from_authfile): Length of key number 1 is 65
debug(pam_u2f): ../util.c:137 (get_devices_from_authfile): KeyHandle for device number 2: 
debug(pam_u2f): ../util.c:156 (get_devices_from_authfile): publicKey for device number 2: 
debug(pam_u2f): ../util.c:167 (get_devices_from_authfile): Length of key number 2 is 65
debug(pam_u2f): ../util.c:194 (get_devices_from_authfile): Found 2 device(s) for user user1
debug(pam_u2f): ../pam-u2f.c:340 (pam_sm_authenticate): Using file '/etc/Yubico/pam-u2f-authpending' for emitting touch request notifications
debug(pam_u2f): ../util.c:277 (do_authentication): Device max index is 0
debug(pam_u2f): ../util.c:311 (do_authentication): Attempting authentication with device number 1
debug(pam_u2f): ../util.c:335 (do_authentication): Challenge: { "keyHandle": "", "version": "U2F_V2", "challenge": "", "appId": "pam:\/\/host1" }
debug(pam_u2f): ../util.c:349 (do_authentication): Response: { "signatureData": "", "clientData": "" }
debug(pam_u2f): ../pam-u2f.c:410 (pam_sm_authenticate): done. [Success]
debug(pam_u2f): ../pam-u2f.c:99 (parse_cfg): called.
debug(pam_u2f): ../pam-u2f.c:100 (parse_cfg): flags 0 argc 4
debug(pam_u2f): ../pam-u2f.c:102 (parse_cfg): argv=authfile=/etc/Yubico/u2f_keys
debug(pam_u2f): ../pam-u2f.c:102 (parse_cfg): argv[1] =debug
debug(pam_u2f): ../pam-u2f.c:102 (parse_cfg): argv[2] =debug_file=/var/log/pam_u2f.log
debug(pam_u2f): ../pam-u2f.c:102 (parse_cfg): argv=authpending_file=/etc/Yubico/pam-u2f-authpending
debug(pam_u2f): ../pam-u2f.c:104 (parse_cfg): max_devices=0
debug(pam_u2f): ../pam-u2f.c:105 (parse_cfg): debug=1
debug(pam_u2f): ../pam-u2f.c:106 (parse_cfg): interactive=0
debug(pam_u2f): ../pam-u2f.c:107 (parse_cfg): cue=0
debug(pam_u2f): ../pam-u2f.c:108 (parse_cfg): nodetect=0
debug(pam_u2f): ../pam-u2f.c:109 (parse_cfg): manual=0
debug(pam_u2f): ../pam-u2f.c:110 (parse_cfg): nouserok=0
debug(pam_u2f): ../pam-u2f.c:111 (parse_cfg): openasuser=0
debug(pam_u2f): ../pam-u2f.c:112 (parse_cfg): alwaysok=0
debug(pam_u2f): ../pam-u2f.c:113 (parse_cfg): authfile=/etc/Yubico/u2f_keys
debug(pam_u2f): ../pam-u2f.c:114 (parse_cfg): authpending_file=/etc/Yubico/pam-u2f-authpending
debug(pam_u2f): ../pam-u2f.c:115 (parse_cfg): origin=(null)
debug(pam_u2f): ../pam-u2f.c:116 (parse_cfg): appid=(null)
debug(pam_u2f): ../pam-u2f.c:117 (parse_cfg): prompt=(null)
debug(pam_u2f): ../pam-u2f.c:169 (pam_sm_authenticate): Origin not specified, using "pam://host1"
debug(pam_u2f): ../pam-u2f.c:181 (pam_sm_authenticate): Appid not specified, using the same value of origin (pam://host1)
debug(pam_u2f): ../pam-u2f.c:192 (pam_sm_authenticate): Maximum devices number not set. Using default (24)
debug(pam_u2f): ../pam-u2f.c:210 (pam_sm_authenticate): Requesting authentication for user user1
debug(pam_u2f): ../pam-u2f.c:221 (pam_sm_authenticate): Found user user1
debug(pam_u2f): ../pam-u2f.c:222 (pam_sm_authenticate): Home directory for user1 is /home/user1
debug(pam_u2f): ../pam-u2f.c:271 (pam_sm_authenticate): Using authentication file /etc/Yubico/u2f_keys
debug(pam_u2f): ../util.c:105 (get_devices_from_authfile): Authorization line: user1: 
debug(pam_u2f): ../util.c:110 (get_devices_from_authfile): Matched user: user1
debug(pam_u2f): ../util.c:137 (get_devices_from_authfile): KeyHandle for device number 1: 
debug(pam_u2f): ../util.c:156 (get_devices_from_authfile): publicKey for device number 1: 
debug(pam_u2f): ../util.c:167 (get_devices_from_authfile): Length of key number 1 is 65
debug(pam_u2f): ../util.c:137 (get_devices_from_authfile): KeyHandle for device number 2: 
debug(pam_u2f): ../util.c:156 (get_devices_from_authfile): publicKey for device number 2: 
debug(pam_u2f): ../util.c:167 (get_devices_from_authfile): Length of key number 2 is 65
debug(pam_u2f): ../util.c:194 (get_devices_from_authfile): Found 2 device(s) for user user1
debug(pam_u2f): ../pam-u2f.c:340 (pam_sm_authenticate): Using file '/etc/Yubico/pam-u2f-authpending' for emitting touch request notifications
debug(pam_u2f): ../util.c:271 (do_authentication): Unable to discover device(s), cannot find U2F device
debug(pam_u2f): ../pam-u2f.c:371 (pam_sm_authenticate): do_authentication returned -2
debug(pam_u2f): ../pam-u2f.c:410 (pam_sm_authenticate): done. [Authentication failure]

As you can see from the log, it tries to authenticate me twice. I have no idea why. Any help would be appreciated!

I've managed to unlock my LUKS partation on boot with a FIDO2 key My crypttab is myvolume /dev/sda5 - fido2-device=auto But I still keep a LUKS key slot with a password (my fido key is always on my dock, not my laptop). Now my boot sequence fails if the key is not connected because it always wants the key PIN number. With the FIDO Pam module, I get asked the PIN+touch only if the key is connected, otherwise it falls back to just asking for the password. **QUESTION:** Is it possible to have a similar behavior when unloking LUKS from my boot sequence?

I recently tried out systemd-homed and doing that I enrolled my Yubikey as FIDO2 device. When i try to authenticate against the created home via homectl authenticate it correctly activates the Yubikey, asks for the PIN and waits for a touch then, followed by the usual password prompt. But when I go ahead and log in to that account from a tty, I'm only prompted for the password, the U2F is completely omitted. Nevertheless, the previously locked home is decrypted and opened, even if the Yubikey is disconnected. How can I enforce the U2F to be used for any authentication? I'm aware of pam-u2f, but if it is relevant here, i don't know how. I can't match the resources on securing 'traditional' user login with pam-u2f against this scenario, They always start with creating the keys, but these seem to be managed by systemd-homed in this case (I couldn't find definitive infos on that).

I'm trying to set up a linux development environment that is both secure and convenient, and after setting up passwordless login and 2-factor authenticated pam_u2f, I had the idea to create different user accounts with different authentication requirements. in the configuration files located at /etc/pam.d/, authentication methods tend to be user/group agnostic, for example:

auth required pam_u2f.so  authfile=/etc/my_yubikeys cue

can you specify users or groups so that, for example an admin account or members of the group wheel requires 2 factors to login(password and something else), while other users require one?

We use Google Authenticator for 2FA SSH logins. It's configured in /etc/pam.d/sshd as follows:

@include common-password
auth required pam_google_authenticator.so nullok

As you may know, [OpenSSH 8.2 comes with U2F keys support](https://www.openssh.com/txt/release-8.2) . We'd like to use U2F in the following manner: 1. If user authenticates with U2F-enabled key, let them in without asking for Google Authenticator code. 2. If user authenticates with a simple key, ask for Authenticator code. How do I achieve that? U2F keys are of the specific type (note the -SK suffix):

$ ssh-keygen -l -f ~/.ssh/id_ecdsa_sk.pub 
256 SHA256:8+ktnvXXshnIek7fEffbEQUhFvwZXOfahSHRagxcdbc pypt@NN (ECDSA-SK)

so maybe there's a way to configure PAM to allow in only specific key types?

Is there any mechanism to forward access to a U2F/FIDO security key (such as a Yubikey) over SSH? I'd like to be able to use my local security key to authorize sudo access on a remote host.

I can setup SSH keypair without Fido U2F as described SSH-agent working over many servers without retyping? Some flag? in the thread. Two step verification would be very good: password for the private key and Fido U2F verification too. I am not sure if we need here Fido/YubiKey server too, as instructed in the thread Yubico Linux Login . My motivation is that I forget so often my passwords which are very long if used in 1-step verifications. 1-step verification is also weak itself although how long and difficult the password is. Therefore, I would like to have 2-step verification in my Debian with keys, because I think keys can improve much security. Ticket sent to YubiKey team 22nd Feb 2017 Dear Sir/Madam, We are thinking how to get 2-step verification with your key and keys in the following thread. Improvements are needed in FIDO U2F and OpenSSH parts. I am thinking how we can push the thing forward with You. Please, say what we can do because the feature request is rather blocked at the moment. Ticket in OpenSSH part: https://bugzilla.mindrot.org/show_bug.cgi?id=2319 Thread about the feature request: http://unix.stackexchange.com/q/346771/16920 Best regards, Leo OS: Debian 8.7 Hardware: Asus Zenbook UX303UB Tickets: #2319 (Jakuje) Fido U2F key: YubiKey 4

Situation: static password file in NordVPN settings Proposal: any security key but proposed one, *YubiKey*, because big userbase I heard that you can setup Security key (Fido U2F) with VPN in theory. I am thinking how to do it with NordVPN in practice. Their customer service says that they cannot do it at the moment, but state that it is possible in the following discussion. > Unfortunately we are not aware if this would work with our service, > you would need to test this out for yourself. VPN files --- Their default udp file looks like in /etc/openvpn/fi1...udp... # _ _ ___ ______ _ _ # | \ | | ___ _ __ __| \ \ / / _ \| \ | | # | \| |/ _ \| '__/ _` |\ \ / /| |_) | \| | # | |\ | (_) | | | (_| | \ V / | __/| |\ | # |_| \_|\___/|_| \__,_| \_/ |_| |_| \_| # client dev tun proto udp remote 91.233.116.223 1194 resolv-retry infinite remote-random nobind tun-mtu 1500 tun-mtu-extra 32 mssfix 1450 persist-key persist-tun ping 15 ping-restart 0 ping-timer-rem reneg-sec 0 remote-cert-tls server #mute 10000 auth-user-pass /etc/openvpn/nordvpn.txt comp-lzo verb 3 pull fast-io cipher AES-256-CBC -----BEGIN CERTIFICATE----- MIIExDCCA6ygAwIBAgIJAKvP+3kUb8zGMA0GCSqGSIb3DQEBBQUAMIGcMQswCQYD VQQGEwJQQTELMAkGA1UECBMCUEExDzANBgNVBAcTBlBhbmFtYTEQMA4GA1UEChMH Tm9yZFZQTjEQMA4GA1UECxMHTm9yZFZQTjEYMBYGA1UEAxMPZmkxLm5vcmR2cG4u Y29tMRAwDgYDVQQpEwdOb3JkVlBOMR8wHQYJKoZIhvcNAQkBFhBjZXJ0QG5vcmR2 cG4uY29tMB4XDTE2MDExMzEyNTM1NVoXDTI2MDExMDEyNTM1NVowgZwxCzAJBgNV BAYTAlBBMQswCQYDVQQIEwJQQTEPMA0GA1UEBxMGUGFuYW1hMRAwDgYDVQQKEwdO b3JkVlBOMRAwDgYDVQQLEwdOb3JkVlBOMRgwFgYDVQQDEw9maTEubm9yZHZwbi5j b20xEDAOBgNVBCkTB05vcmRWUE4xHzAdBgkqhkiG9w0BCQEWEGNlcnRAbm9yZHZw bi5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDkFvXPucVa8aTL CM0Cg3QsCWBfx1W33Khx0KfrnvyAvH4favnOgjd2SkX17/j1SBiNvJjkbLgfXJGg hKhrbOyFNc8tPjS0O52bDRnlHBkV9lTi5aHHdqHf9bv+4SIDaTr58qnyiVT893JO 29n7jefRHlOJWZ7DUDaexfxDVVqKaC8ZJN706aBzs9d7VwIfhxLeHkmRx0vk16zr rjF1QsnT+wWUGLeUu/TQoI3d1QaBS9sNQIqHWfToO5m/ytHWzAwho7mgfqP9CUjM 9ZFvEIfuGsDUNDZ5u6mRz2vb9IQ1YwdrHuMJ2YSD88Bxxyk2Eb24nyP8JZuhTvNT EfaZiwF7AgMBAAGjggEFMIIBATAdBgNVHQ4EFgQUAs/txYYs3Wo/Y4t2/PUUssry 7uMwgdEGA1UdIwSByTCBxoAUAs/txYYs3Wo/Y4t2/PUUssry7uOhgaKkgZ8wgZwx CzAJBgNVBAYTAlBBMQswCQYDVQQIEwJQQTEPMA0GA1UEBxMGUGFuYW1hMRAwDgYD VQQKEwdOb3JkVlBOMRAwDgYDVQQLEwdOb3JkVlBOMRgwFgYDVQQDEw9maTEubm9y ZHZwbi5jb20xEDAOBgNVBCkTB05vcmRWUE4xHzAdBgkqhkiG9w0BCQEWEGNlcnRA bm9yZHZwbi5jb22CCQCrz/t5FG/MxjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEB BQUAA4IBAQAx6F+8FxeCfyK5WRqd6DyURDm8lveRrM1J/tGY1Mlint+mkvoHpZ10 L/GVJZBd8tiAbeCyJuwNAzlxvVSd1cLgXwRFlp422FhZCgxby9+FZ6kPGw6MygPe bFYz7xlr6KiJm101W/pbxl6T12MUAY4l7GODRbQMClWU1sxaLo0bzIU6eKrO2J8w or4OAukm+c5IZjcnJ6AbMQf/K6WNHA0DDvzY+4k4IUYBMDOUPKY5anyQuhD4AAxV 9dpYCINrr08/mNqRsaRR03UwaQ0y1NsK4C8zqq8suKYRPw50W4Xz5CiywmiR32pc VwckR9ip+kb/Ngai1ZaLECkq/tP4W4hk -----END CERTIFICATE----- key-direction 1 # # 2048 bit OpenVPN static key # -----BEGIN OpenVPN Static key V1----- 28c03f853cd7ec999b707d1eaa5296f4 7d315d8bc9657b22d3ca763d3d08f6ef 2d0d00115087d3832b53a85f4014a82b 0934baa25c37f14a8b114992ca6a0f9d 741b3ef40b1849fe859386d2556e738b 7d9b79369d49bc06cb12370e141408ce 4a738d9cd7463d4062263c7442394258 7a9172fe1732ceaf3fd69492283ce085 0a6e21111a39d4c3b28e2d6f7b406d2e bccb965df0a1253fc78f88f7c27808be 64ac07535c671cebe971d603cecdaa17 ae89b7502ebac541c74d58b67cbf508e 7b22b34aa47b1b75971c8599205dff8b 7c0fbe363a0b5d64d8e7bafe88996d16 a7a767f15575885785f65dcd1a989c4d 4c1c34203d23bbc4000da626be7d7749 -----END OpenVPN Static key V1----- Your password file at /etc/openvpn/nordvpn.txt username@gmail.com myStrongPassword OS: Debian 8.7 Hardware: Asus Zenbook UX303UB Security Keys: YubiKey 4, YubiKey Neo NordVPN Ticket ID: #744897

Assume you need the OTPs by devices which are separate from the Debian system which generates the codes. Here, the U2F does not work in all cases so I need OTPs. I am trying to add offline OTP functionality by YubiKey Neo in Debian. My idea: 1. have some key server on your Linux 2. some frontend to generate OTPs. I have not found any GUI/UI frontend for the generation of OTPs by apt search .... Things already installed and partially tested apt search YubiHSM sudo apt install yubikey-val sudo apt install python-serial python-crypto sudo apt install yhsm-tools yhsm-yubikey-ksm yhsm-validation-server yhsm-daemon I added username:keyID in $HOME/.yubico/authorized_yubikeys. I did not manage to set up any server system in /etc/pam.d/common-auth. Rejected OTP types 1. [Celada] time-based OTPs (TOPT) because no clock in YubiKey 2. Ticket #00019568: Their answer says that it is not possible in the following. > This is not supported by the YubiKey. If you are looking to ask for a new feature request, that is best done at our forum in the Suggestions section (https://forum.yubico.com/viewforum.php?f=12&sid=6d5c3368d99340d20ef691f2146c44c7) . OS: Debian 8.7 Fido U2F: Yubico YubiKey Neo, YubiKey 4 White Yubico ticket for sequence-based OTPs: #00019568 *I want to genarate OTPs by YubiKey Neo. The following thread proposes that OTP should be sequence-based OTPs. How can you genarate such OTPs by YubiKey Neo in Linux Debian 8.7?* Yubico forum thread: How can you genarate OTPs offline by YubiKey in Debian?

I would like to have 2-step authentication by password + Fido U2F security key. I did not find any approaches which would work in Debian 8.7. The OS should not be a limiting factor here because Qt libraries are used with KeePassX . OS: Debian 8.7 Fido U2F key: YubiKey Neo, YubiKey 4

I am trying to add a security key with button (Fido U2F ) in Debian. I think the problem may be with the button because of my previous experience with such buttons in Transcend HDDs where no good support ever for such buttons in Linux. My test target is Gmail here with the internet browser Chrome, where I try to add the key as the authenticated key for Gmail. However, it fails all the time. Steps in Gmail - 2-step verification > Security Key > *A Security Key is a small physical device used for signing in. It plugs into your computer's USB port.* and go to the settings then and try to add - I plug it in as instructed. Repeat the iteration many times in different settings but nothing works as show by the following error. > Something went wrong. Try again. Because of the persintance of the error, I am thinking this is a Linux issue, probably because of the button of my security key. I have two security keys tested so there should be no malfunction in the key itself, reproducing the same error as described above. Bought from the manufacturer directly. A few iterations about inserting the key and pressing the button in sudo dmesg [51267.833520] usb 1-3: new full-speed USB device number 9 using xhci_hcd [51267.975180] usb 1-3: New USB device found, idVendor=1050, idProduct=0407 [51267.975182] usb 1-3: New USB device strings: Mfr=1, Product=2, SerialNumber=0 [51267.975184] usb 1-3: Product: Yubikey 4 OTP+U2F+CCID [51267.975185] usb 1-3: Manufacturer: Yubico [51267.976497] input: Yubico Yubikey 4 OTP+U2F+CCID as /devices/pci0000:00/0000:00:14.0/usb1/1-3/1-3:1.0/0003:1050:0407.0009/input/input195 [51268.034276] hid-generic 0003:1050:0407.0009: input,hidraw0: USB HID v1.10 Keyboard [Yubico Yubikey 4 OTP+U2F+CCID] on usb-0000:00:14.0-3/input0 [51268.035070] hid-generic 0003:1050:0407.000A: hiddev0,hidraw1: USB HID v1.10 Device [Yubico Yubikey 4 OTP+U2F+CCID] on usb-0000:00:14.0-3/input1 [51272.394447] usb 1-3: USB disconnect, device number 9 [51277.307216] usb 1-3: new full-speed USB device number 10 using xhci_hcd [51277.448615] usb 1-3: New USB device found, idVendor=1050, idProduct=0407 [51277.448619] usb 1-3: New USB device strings: Mfr=1, Product=2, SerialNumber=0 [51277.448621] usb 1-3: Product: Yubikey 4 OTP+U2F+CCID [51277.448623] usb 1-3: Manufacturer: Yubico [51277.450072] input: Yubico Yubikey 4 OTP+U2F+CCID as /devices/pci0000:00/0000:00:14.0/usb1/1-3/1-3:1.0/0003:1050:0407.000B/input/input196 [51277.507682] hid-generic 0003:1050:0407.000B: input,hidraw0: USB HID v1.10 Keyboard [Yubico Yubikey 4 OTP+U2F+CCID] on usb-0000:00:14.0-3/input0 [51277.508561] hid-generic 0003:1050:0407.000C: hiddev0,hidraw1: USB HID v1.10 Device [Yubico Yubikey 4 OTP+U2F+CCID] on usb-0000:00:14.0-3/input1 ... I made also a support ticket about the case with a link here for the case in Yubico.com. [GAD3R] Yubico's instructions here 1. *If you have a Security Key by Yubico (blue color), U2F is enabled by default (only U2F mode is supported on this product).* I have white YubiKey 4 (special edition), so I think the U2F feature should be applied by default. 2. Go to https://github.com/Yubico/libu2f-host/blob/master/70-u2f.rules and download or create a copy of the file named 70-u2f.rules into the Linux directory: /etc/udev/rules.d/ 3. .... [rebooting, waiting, testing] OS: Debian 8.7 Hardware: Asus Zenbook UX303UB Fido U2F key: YubiKey 4 Chrome: 56.0.2924.87 (Official Build) (64-bit) Ticket #00019479: *How to use YubiKey 4 in Debian 8.7 with Google Chrome 56.x?*