Security on Learning Journey of Alexander Allgäuer

YubiKey: SSH with FIDO2

Wed, 15 Apr 2026 00:00:00 +0000

The YubiKey supports four methods to enable hardware-backed SSH authentication.

FIDO2
PIV
PGP
OTP

FIDO2 provides the highest security and comes with low complexity. The private key is non-exportable.

Limitations

OpenSSH v 8.2.p1 is a requirement better 8.3 for the verify-required option, shouldn’t be an issue since both versions were released in 2020.
Windows SSH at the time of writing not supported.
The Mac OS bundled openssh version doesn’t support it but this can be fixed.

Full Disk Encryption (FDE).md

Tue, 14 Apr 2026 00:00:00 +0000

Insightful articles about TPM

https://gist.github.com/osy/45e612345376a65c56d0678834535166?permalink_comment_id=4685731\

From the founder of Systemd https://0pointer.net/blog/authenticated-boot-and-disk-encryption-on-linux.html\

Microsoft recommendations https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/countermeasures

Secureboot Arch Linux

Tue, 14 Apr 2026 00:00:00 +0000

Configuration Guide for Secure Boot ArchLinux.

Update Bios

fwupdmgr refresh
fwupdmgr refresh
fwupdmgr get-updates
fwupdmgr update

sbctl status
***
*Setup Mode: X Disabled
*Secure Boot: X Disabled
***

In BIOS delete your PlatformKeys to get into setupMode.

sbctl status
***
*Setup Mode: ✓ Enabled
*Secure Boot: X Disabled
***

@slexi  sudo sbctl create-keys Created Owner UUID 636e0dc7-096e-4e10-8f7f-831dfa8b5b97 ✓ Secure boot keys created!

@slexi  sudo sbctl enroll-keys ‼ File is immutable: /sys/firmware/efi/efivars/KEK-8be4df61-93ca-11d2-aa0d-00e098032b8c ‼ File is immutable: /sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f You need to chattr -i files in efivarfs

YubiKey: Autolockscreen via udev (Hyprland)

Tue, 14 Apr 2026 00:00:00 +0000

Automatically lock your Hyprland session the moment you pull your YubiKey out of the USB port. A udev rule triggers a screen lock script.

Read hyprlock doc first!

⚠️ : If you are using hyprland the default application to lock the screen is Hyprlock. Hyprlock does not automatically create a config, and without one, hyprlock will not render anything. But even without a config, your session will get locked and thus Hyprland will cover your session with a black screen.
https://wiki.hypr.land/Hypr-Ecosystem/hyprlock/

YubiKey: Passwordless Sudo

Tue, 14 Apr 2026 00:00:00 +0000

Use a YubiKey touch to replace your password for sudo .

Install pam-u2f

sudo pacman -S pam-u2f
mkdir -p ~/.config/Yubico

Register the keys

pamu2fcfg > ~/.config/Yubico/u2f_keys # primary key
pamu2fcfg -n >> ~/.config/Yubico/u2f_keys # append backup key

Edit PAM

⚠️ Warning: Keep a root session open in another terminal in case something goes wrong.

sudo nano /etc/pam.d/sudo

Add at the top:

auth sufficient pam_u2f.so cue

sufficient → the YubiKey alone is enough to authenticate.
Change to required if you want 2FA (YubiKey and password).
cue prints a hint when a touch is needed.

Test it

sudo -s
Please touch the FIDO authenticator.

KeePassXC

Mon, 13 Apr 2026 00:00:00 +0000

KeePassXC is essentially KeePass with a modern UI, rebuilt from scratch to run natively on Windows, macOS, and Linux. Instead of relying on plugins like KeePass does, it ships with the most important features already built in, including:

YubiKey support (see Yubikey HMAC-SHA1 Challenge-Response)
Browser integration (Chrome, Firefox, Edge, and more)
TOTP/2FA code generation
SSH agent support
Have I Been Pwned breach checking
Passkey support

YubiKey: HMAC-SHA1 Challenge-Response

Mon, 13 Apr 2026 00:00:00 +0000

Configure HMAC-SHA1 Challenge-Response on a YubiKey’s second OTP slot.

Check slot status

Use ykman otp info to make sure your second slot isn’t already used. Slot 1 is typically reserved for Yubico OTP.

ykman otp info
# Slot 1: programmed
# Slot 2: empty

Configure OTP slot 2

Generate a shared secret and program both YubiKeys (primary + backup) with the same secret so either can open the database.

SECRET=$(openssl rand -hex 20)
ykman otp chalresp --touch 2 $SECRET # Key 1
ykman otp chalresp --touch 2 $SECRET # Key 2
unset SECRET

The --touch flag is optional, but when you think about it, it absolutely makes sense — you want physical presence confirmation before the key responds.

YubiKey: Introduction

Mon, 13 Apr 2026 00:00:00 +0000

YubiKey is a hardware security key manufactured by Yubico.

YubiKeys support a wide range of authentication standards, including:

FIDO2 / WebAuthn
FIDO U2F
Smart card (PIV)
OpenPGP
OATH-TOTP / HOTP
Yubico OTP

Rule #1: Always buy two

When ordering a YubiKey, always put two of them in the shopping cart. Saving a few bucks on a backup key can leave you with a single point of catastrophic failure. They come with a hole that lets you attach one to your keychain while the other stays in another safe, trusted location.

YubiKey: Management Tool

Mon, 13 Apr 2026 00:00:00 +0000

Yubikey Management Tools Installation

We need yubikey-manager Smart Card Daemon middlware.

sudo pacman -S yubikey-manager pcsclite ccid
sudo systemctl enable --now pcscd.service
sudo systemctl enable --now pcscd.socket

Verify if the key is detected:

ykman info

 @slexi  ykman info 
Device type: YubiKey 5C NFC
Serial number: 25997589
Firmware version: 5.4.3
Form factor: Keychain (USB-C)
Enabled USB interfaces: OTP, FIDO, CCID
NFC transport is enabled

Applications USB NFC 
Yubico OTP Enabled Enabled
FIDO U2F Enabled Enabled
FIDO2 Enabled Enabled
OATH Enabled Enabled
PIV Enabled Enabled
OpenPGP Enabled Enabled
YubiHSM Auth Enabled Enabled

Security on Learning Journey of Alexander Allgäuer

YubiKey: SSH with FIDO2

Limitations

Full Disk Encryption (FDE).md

Insightful articles about TPM

Secureboot Arch Linux

Update Bios

YubiKey: Autolockscreen via udev (Hyprland)

Read hyprlock doc first!

YubiKey: Passwordless Sudo

Install pam-u2f

Register the keys

Edit PAM

Test it

KeePassXC

Links

YubiKey: HMAC-SHA1 Challenge-Response

Check slot status

Configure OTP slot 2

YubiKey: Introduction

Rule #1: Always buy two

YubiKey: Management Tool

Yubikey Management Tools Installation