From 96fa0b1a9eba830feebd746cf8e078c4febdb86c Mon Sep 17 00:00:00 2001 From: puneetse <22071208+puneetse@users.noreply.github.com> Date: Wed, 20 Mar 2019 17:43:26 +0000 Subject: [PATCH] Add document on using YubiKey with U2F (#416) * Add document on using YubiKey with U2F * Add yubikey doc to tutorials TOC --- source/clear-linux/tutorials/tutorials.rst | 1 + source/clear-linux/tutorials/yubikey-u2f.rst | 126 +++++++++++++++++++ 2 files changed, 127 insertions(+) create mode 100644 source/clear-linux/tutorials/yubikey-u2f.rst diff --git a/source/clear-linux/tutorials/tutorials.rst b/source/clear-linux/tutorials/tutorials.rst index 39393902..1e516588 100644 --- a/source/clear-linux/tutorials/tutorials.rst +++ b/source/clear-linux/tutorials/tutorials.rst @@ -32,4 +32,5 @@ Explore our tutorials to discover what you can do with |CL|! kubernetes/kubernetes* greengrass dlrs + yubikey-u2f nvidia diff --git a/source/clear-linux/tutorials/yubikey-u2f.rst b/source/clear-linux/tutorials/yubikey-u2f.rst new file mode 100644 index 00000000..e75884e2 --- /dev/null +++ b/source/clear-linux/tutorials/yubikey-u2f.rst @@ -0,0 +1,126 @@ +.. _yubikey-u2f: + +Enable YubiKey U2F Support +########################## + +YubiKey\* is a USB security token manufactured by `Yubico`_. Depending on the +model, a YubiKey can support different authentication protocols including: +One-Time Password (OTP), Smart card, FIDO2, and Universal 2nd Factor (U2F). + +These instructions will go over configuring a YubiKey for U2F authentication +through a web browser on a |CL-ATTR| system. + +A list of `websites +accepting U2F authentication with the YubiKey`_ is available on the Yubico +website. See the Yubico website to learn more about the Yubikey: +https://www.yubico.com/getstarted/meet-the-yubikey/ + + + +.. contents:: :local: + :depth: 1 + + + +Prerequisites +************* + +This tutorial assumes you have: + +#. |CL| installed and running. + +#. Mozilla Firefox installed on |CL|. + +#. A YubiKey. + + + +Enable Linux udev rules for YubiKey +*********************************** + +:command:`udev` is the Linux device manager which handles events when USB +devices are added and removed. Custom rules needs to be created to properly +identify the YubiKey and provide applications access. + +These instructions are derived from: `Yubico support article Using Your U2F +YubiKey with Linux +`_ + + +#. Create the udev rules folder under :file:`/etc` + + .. code:: bash + + sudo mkdir -p /etc/udev/rules.d/ + + +#. Download the u2f rules from the Yubico GitHub: + + .. code:: bash + + curl -O https://raw.githubusercontent.com/Yubico/libu2f-host/master/70-u2f.rules + + +#. Move the downloaded :file:`70-u2f.rules` file into the :file:`/etc/udev` + folder + + .. code:: bash + + sudo mv 70-u2f.rules /etc/udev/rules.d/ + + +#. The udev rules should automatically be reloaded. However, they can be + manually reloaded or reboot the system: + + .. code:: bash + + sudo udevadm control --reload-rules && udevadm trigger + + +#. Plugin and validate the YubiKey appears as a USB device: + + .. code:: bash + + lsusb + + + +Enable U2F in Mozilla Firefox +***************************** + +Firefox comes with U2F web authentication support disabled by default. U2F +needs to be enabled in the advanced settings. + +These instructions are derived from: `Yubico support article Enabling U2F +support in Mozilla Firefox +`_ + + +#. Launch Mozilla Firefox + +#. In the URL bar, type :command:`about:config` to access the advanced + settings. + + .. code:: bash + + about:config + +#. Click the *I accept the risk!* button to continue to the advanced settings + +#. Search for the :command:`security.webauth.u2f` and double-click it + so *Value* becomes **true**. + + +Your YubiKey is now usable on |CL| with Mozilla Firefox with websites that +support U2F authentication. + + +Related topics +************** + +- |CL| :ref:`security` + + +.. _`Yubico`: https://www.yubico.com/ + +.. _`websites accepting U2F authentication with the YubiKey`: https://www.yubico.com/works-with-yubikey/catalog/#protocol=universal-2nd-factor-(u2f)&usecase=all&key=all