Notes Yubikey MFA U2F FIDO

Voir :

• 2FA MFA U2F WebAuthn
• https://github.com/drduh/YubiKey-Guide

Faille :

• https://arstechnica.com/security/2024/09/yubikeys-are-vulnerable-to-cloning-attacks-thanks-to-newly-discovered-side-channel/

FIDO2 :

• https://thephp.cc/presentations/2019-international-php-conference-spring-edition-the-future-of-authentication-webauthn-with-php.pdf

# dmesg 
[ 4283.840605] usb 4-2: new full-speed USB device number 10 using ohci-pci
[ 4284.041632] usb 4-2: New USB device found, idVendor=1050, idProduct=0120, bcdDevice= 5.27
[ 4284.041647] usb 4-2: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[ 4284.041653] usb 4-2: Product: Security Key by Yubico
[ 4284.041657] usb 4-2: Manufacturer: Yubico
[ 4284.048451] hid-generic 0003:1050:0120.0009: hiddev0,hidraw0: USB HID v1.10 Device [Yubico Security Key by Yubico] on usb-0000:00:12.0-2/input0

$ lsusb |grep -i yubi
Bus 003 Device 007: ID 1050:0120 Yubico.com Yubikey Touch U2F Security Key

$ ykman mode 
Current connection mode is: FIDO
Supported USB interfaces are: FIDO

sudo apt-get install yubikey-manager

$ ykman list
Security Key by Yubico [FIDO]

$ ykman info
Device type: Security Key NFC
Serial number: Not set or unreadable
Firmware version: 5.2.7
Form factor: Keychain (USB-A)
Enabled USB interfaces: FIDO
NFC interface is enabled.

Applications    USB             NFC          
OTP             Not available   Not available
FIDO U2F        Enabled         Enabled      
OpenPGP         Not available   Not available
PIV             Not available   Not available
OATH            Not available   Not available
FIDO2           Enabled         Enabled  

Configure le PIN

ykman fido set-pin

Reset PIN

ykman fido set-pin

Désactiver le NFS

ykman config nfc --disable-all

Pour vérifier

ykman info

ykman otp settings --no-enter 1

Debian 10 avec la clef Yubikey Touch U2F Security Key

$ sudo apt-get install yubikey-personalization
$ ykinfo -a
Yubikey core error: no yubikey present

Ainsi que le paquet apt-get install yubikey-personalization-gui

Nécessaire ?

Using Your U2F YubiKey with Linux Source : https://support.yubico.com/hc/en-us/articles/360013708900-Using-Your-U2F-YubiKey-with-Linux

curl https://raw.githubusercontent.com/Yubico/libu2f-host/master/70-u2f.rules |sudo tee /etc/udev/rules.d/70-u2f.rules

Source https://support.yubico.com/hc/en-us/articles/360016649099-Ubuntu-Linux-Login-Guide-U2F

sudo apt-get install pamu2fcfg

$ pamu2fcfg
Enter PIN for /dev/hidraw0: 
error: fido_dev_make_cred (58) FIDO_ERR_ACTION_TIMEOUT

L'erreur FIDO_ERR_ACTION_TIMEOUT est due au fait que je n'avais pas appuyé rapidement sur le bouton de la clef.

Avec la 1ere clef

pamu2fcfg > ~/.config/Yubico/u2f_keys

Nous déconnectons la clef, puis nous insérons notre 2eme clef. C'est une clef de secoure.

pamu2fcfg -n >> ~/.config/Yubico/u2f_keys

sudo apt-get install libpam-u2f

La config de PAM consiste à ajouter la ligne ci-dessous à @include common-auth :

auth       required   pam_u2f.so # debug debug_file=/var/log/pam_u2f.log

Protection Sudo

/etc/pam.d/sudo

#%PAM-1.0

@include common-auth

# For YubiKey add line :
auth       required   pam_u2f.so # debug debug_file=/var/log/pam_u2f.log

@include common-account
@include common-session-noninteractive

/etc/pam.d/sudo-i

#%PAM-1.0

# Set up user limits from /etc/security/limits.conf.
session    required   pam_limits.so

@include common-auth
# For YubiKey add line :
auth       required   pam_u2f.so # debug debug_file=/var/log/pam_u2f.log

@include common-account
@include common-session

Protection accès interface graphique

/etc/pam.d/gdm-password

@include common-auth

# For YubiKey add line :
auth    required        pam_u2f.so      # debug debug_file=/var/log/pam_u2f.log

/etc/pam.d/sddm

#%PAM-1.0

# Block login if they are globally disabled
auth    requisite       pam_nologin.so
auth    required        pam_succeed_if.so user != root quiet_success

# auth    sufficient      pam_succeed_if.so user ingroup nopasswdlogin
@include common-auth
# For YubiKey add line :
auth       required   pam_u2f.so # debug debug_file=/var/log/pam_u2f.log

# gnome_keyring breaks QProcess
-auth   optional        pam_gnome_keyring.so
-auth   optional        pam_kwallet5.so

@include common-account

# SELinux needs to be the first session rule.  This ensures that any
# lingering context has been cleared.  Without this it is possible that a
# module could execute code in the wrong domain.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
# Create a new session keyring.
session optional        pam_keyinit.so force revoke
session required        pam_limits.so
session required        pam_loginuid.so
@include common-session
# SELinux needs to intervene at login time to ensure that the process starts
# in the proper default security context.  Only sessions which are intended
# to run in the user's context should be run after this.
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
-session optional       pam_gnome_keyring.so auto_start
-session optional       pam_kwallet5.so auto_start

@include common-password

# From the pam_env man page
# Since setting of PAM environment variables can have side effects to other modules, this module should be the last one on the stack.

# Load environment from /etc/environment
session required        pam_env.so

# Load environment from /etc/default/locale and ~/.pam_environment
session required        pam_env.so envfile=/etc/default/locale user_readenv=1

Protection accès TTY

/etc/pam.d/login

@include common-auth
# For YubiKey add line :
auth         required   pam_u2f.so      # debug debug_file=/var/log/pam_u2f.log

sudo apt-get install libccid pcscd

sudo systemctl status pcscd