Brain

Yubico YubiKey

2 min read

SSH key

WSL

If you’re on WSL, make sure, that ssh-keygen can access your device. On my WSL setups, I had to create a udev rule.

Generating a key

We use ssh-keygen for that.

ssh-keygen -t ed25519-sk -O resident -O verify-required -C "username@hostname (Yubikey description)"

Note

Please also refer to Yubico’s official documentation.

Simply choose a path for the key to be saved to and optionally a password. As the file is just a key stub, though, you shouldn’t need one if you specified verify-required. It should be sufficiently protected, provided you have a sufficiently secure PIN and physical access control to your YubiKey.

Resident Keys

For my server, I don’t use resident keys. Although it might not really be a security concern, I don’t have a problem manually deploying the key stub to any PC I want to access my server from.

Depending on whether you chose the default name or not, you might have to add the key to the ssh-agent

ssh-add ~/.ssh/PRIVATE_KEY_FILE

Replace

  • PRIVATE_KEY_FILE: The filename you chose previously

udev rule

Add a udev rule in the form of a file /etc/udev/rules.d/99-yubikey.rules

/etc/udev/rules.d/99-yubikey.rules
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", MODE="0660", TAG+="uaccess", GROUP="plugdev", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0406"

Note

You might need to change the vendor and product ID.

You can easily check the IDs using lsusb.

Simply locate the YubiKey line in the output, and locate the IDs following the pattern: [Bus IDs]: ID <vendor>:<product> [Name of the device]

Subsequently, add your user to the plugdev group, restart WSL and you should be good to go.

sudo groupadd plugdev
sudo usermod -aG plugdev username

Replace

  • username : Your username

Graph View

Backlinks