phil/quartz
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
fe0581e4230a6032a956617b5fa41aa9af37a911
quartz/content/10-19 LIFE/13 TECH SETUP/13.13 OS SETUP/Yubikey.md
Quartz Syncer fe0581e423
All checks were successful
Build and Deploy Quartz / build (push) Successful in 27s
Details
Published multiple files
2026-02-05 12:24:25 -07:00

144 lines
2.1 KiB
Markdown
Raw Blame History

---
publish: true
permalink: /os/yubikey
title: Yubikey
created: 2026-01-29T21:27:17.327-07:00
modified: 2026-02-05T12:18:10.589-07:00
tags:
- security
- yubikey
- 2fa
cssclasses: ""
---
YubiKey hardware security key setup on Arch Linux.
## Installation
```bash
sudo pacman -S \
yubikey-manager \
yubico-authenticator \
pcsclite ccid
```
- `yubikey-manager` — CLI tool (`ykman`)
- `yubico-authenticator` — TOTP/HOTP GUI
- `pcsclite`, `ccid` — Smart card daemon
## Enable Services
```bash
sudo systemctl enable --now pcscd
```
## Basic Usage
### Check YubiKey
```bash
ykman info
```
### List OTP slots
```bash
ykman otp info
```
## TOTP Authenticator
Launch the GUI:
```bash
yubico-authenticator
```
Or use CLI:
```bash
# List accounts
ykman oath accounts list
# Get code
ykman oath accounts code "Account Name"
```
## FIDO2/WebAuthn
Works out of the box with modern browsers for passkeys and 2FA.
### udev rules
If YubiKey isn't detected, add udev rules:
```bash
sudo pacman -S libu2f-host
```
Or manually create `/etc/udev/rules.d/70-u2f.rules`:
```
# YubiKey
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", MODE="0664", GROUP="users", ATTRS{idVendor}=="1050"
```
Reload:
```bash
sudo udevadm control --reload-rules
sudo udevadm trigger
```
## SSH Authentication
Use YubiKey for SSH keys via FIDO2:
### Generate key
```bash
ssh-keygen -t ed25519-sk -O resident -O verify-required
```
- `-t ed25519-sk` — FIDO2 key type
- `-O resident` — Store on YubiKey (discoverable)
- `-O verify-required` — Require touch + PIN
### Load resident keys
```bash
ssh-add -K # Load all resident keys from YubiKey
```
## PIV (Smart Card)
For certificate-based auth:
```bash
# Check PIV status
ykman piv info
# Generate key in slot 9a
ykman piv keys generate 9a public.pem
```
## GPG
Use YubiKey as GPG smart card:
```bash
gpg --card-status
gpg --card-edit
```
## Locking Workstation
Lock screen when YubiKey is removed:
```bash
# Install
paru -S yubikey-touch-detector
# Or use udev rule + hyprlock
```
## Resources
- Arch Wiki: https://wiki.archlinux.org/title/Smartcards
- YubiKey docs: https://docs.yubico.com/
Reference in New Issue View Git Blame Copy Permalink