The Wonderful World of Yubikey: OS Login and Sudo

We've covered a lot with this series. We've nearly Yubikeyed all of the things:

You can also set up your Yubikey as authentication mechanism on your computer. This post will only be touching on Mac OS and Linux but similar functionality does exist for Windows as well.

SUDO

It's likely that you have admin privs on the personal machines you work with. It's also likely that you don't log in to those machines as root but instead have to use sudo to elevate the privileges of certain commands and requests. With great power comes great responsibility....and wouldn't it be nice if we could just one more layer of protection in there?

In both LInux and Mac OS you can require interaction from a Yubikey in order to use the sudo command.

LOGIN

You can also require Yubikey to be a part of your login process but it will look a bit different on Linux vs Mac.

For Ubuntu based distros you will be utilizing the Pam module. It's as simple as setting up your Yubikey to work with the system as outlined here:

https://support.yubico.com/hc/en-us/articles/360016649099-Ubuntu-Linux-Login-Guide-U2F

In this setup, you will need to tap your yubikey in addition to inputing your password in order to log in to your system. Note: This does not apply to unlocking the Full Disk Encryption from a reboot, only to logging in as your user.

For Mac OS this will look different. Here you will be enrolling your Yubikey as a smart card within the system itself. Yubikey cautions against this on M1 Macs. Here are some articles I found useful when setting this up on my own machines:

https://support.yubico.com/hc/en-us/articles/360016649059-Using-Your-YubiKey-as-a-Smart-Card-in-macOS

By default, your Yubikey is an optional part of login on Mac OS. However, you can make it a requirement. Just be aware, that if something goes wrong you will have to use Recovery Mode in order to undo the smart card requirement.

From painful personal experience, I reccomend setting a very long password on Mac user and then rely on the the Yubikey + Pin as an "easier" way to authenticate.

You can see more of my Yubikey on Mac OS adventures in this Reddit post:

Yubikey as Smart Card on Mac OS - File Vault Decryption Question from yubikey

Depending on how sensitive the data on your machines are and how likely you think that physical theft is this could be an option for you. NOTE: The above discussion does nothing to mitigate against threats such as phishing links and some malware variants. This is really just one more use you can squeeze out of the Yubikeys you already own that adds another layer of physical security to your setup.