Skip to main content

Adding More Protection Using Yubico Key

Last week, i saw an interesting offer by Github partnering with Yubico to offer a discounted prize for Yubico products only by verifying via Github. These are the deals:
  • While supplies last, GitHub users can purchase special edition U2F Security Keys for $5 plus shipping and handling (regular price $18; 5,000 special edition keys available).
  • After the special keys are gone, all GitHub users are eligible for a 20% discount on U2F-certified YubiKeys, for a limited time.
  • In addition, all students who are eligible for the Student Developer Pack will receive a 20% discount on any U2F-certified YubiKey.
I have enabled 2FA (Two Factor Authentication) to my email accounts for some time, but i was also interested for Yubico products for a long time, so i decided to take this chance to buy one. Surprisingly shocking to see that the shipping was way more expensive than the product itself (they uses DHL Express), but at the end i bought it anyway. I kinda regret it because i should buy more items considering i'm paying for the same price for the shipping and handling. In short, 3 days later the item arrived at my home after taking a long journey from UK, Germany, Singapore, Jakarta, and finally my hometown, Jogja. Never expected that it was so small and there was only one paper of invoice that came along with it.

I plug the device to my USB port and my Slackware detected it properly. This is the output in dmesg:
usb 2-8: USB disconnect, device number 4
usb 2-8: new full-speed USB device number 5 using ohci-pci
usb 2-8: New USB device found, idVendor=1050, idProduct=0120
usb 2-8: New USB device strings: Mfr=1, Product=2, SerialNumber=0
usb 2-8: Product: Security Key by Yubico
usb 2-8: Manufacturer: Yubico
hid-generic 0003:1050:0120.0005: hiddev0,hidraw3: USB HID v1.10 Device [Yubico Security Key by Yubico] on usb-0000:00:04.0-8/input0
Next thing i tried to activate the 2FA authentication in GitHub. GitHub provides two methods: Application or SMS. I choose to use the application, which is Google Authenticator. It's available on Google Play (Android) or Apple AppStore (Apple iOS). After 2FA is activated, i tried to register my new device, but i ended with an error. I tried to follow all the steps carefully, but i couldn't get it done. I also tried to register it on GMail and it failed there too. After trying for some time, i decided to stop for a while and get some rest (it's past midnight).

This weekend (Saturday), after pushing the public update for SBo project, i boot into my Windows and tried the same thing: register the device in GitHub and GMail. It all worked without any problem.


So i searched Google for more references and i found some interesting article about udev rules for this Yubico key. There are two different articles about this rules and i tried to applied them all, but it failed too, until this evening i found a discussion in ArchLinux's Forum. It gave me an idea about the rules and i finally applied the changes and voila, it's now working properly under my Linux machine.

So the problem is all about permission.I confirmed it by creating a Slackware package for libu2f-host (submitted to SBo as well) and test the C-based API library. First, i tried using normal account and it failed because it couldn't find the device. Next i tried with root account and it worked fine. I got the results as i expected, so i guess it's just a matter of permission. To solve it, make a new file called 90-yubikey.rules and place it in /etc/udev/rules.d/90-yubikey.rules with these content:
# Udev rules for letting the console user access the Yubikey USB
# device node, needed for challenge/response to work correctly.

ACTION=="add|change", SUBSYSTEM=="hidraw", \
ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0010|0110|0111|0114|0116|0120|0401|0403|0405|0407|0410", \
  MODE="0660", GROUP="plugdev"
and run udevadm trigger. You need to make sure your device idProduct is listed in the rules file. See the bold line in the dmesg output above. That's how you get the idVendor and idProduct values. With this in place, this new device is activated and ready to be used

Here are some screenshots when trying to login to GMail and GitHub after the new setting is used:




They provice fallback alternatives just in case you forgot to bring your device. Please make sure you have the backup recovery code ready just in case all alternatives failed.

I wish Yubico can add Firefox to the supported browser soon as it's my default browser.

There's one minor issue left, which is to use Yubico with iPad. According to this article and this entry in FAQ, i can use Yubico key with my iPad 3, however the device doesn't blink when i point my browser to the demo site. Anyway, that's fine for now.

Popular posts from this blog

Running Rsync Via Proxy

One way to get the latest Slackware updates is by running rsync to syncronize your local repository and the main repository that hold the Slackware packages. Eric Hameleers has provided a great script called rsync_current.sh and how i modified this tool has been discussed on my previous post. In general, it works, except for one problem, when your computer is connecting to the Internet through a proxy.

My workstation at my office is connected to the Internet through a proxy, so i can't use normal rsync to work normally. I browsed the web and i found this site which tells us about how we should modify our squid configuration to allow rsync connection from any computer from our local networks. I asked my sysadmin to try this script. He agreed and he updated the squid configuration on the proxy.

Next, i need to update my environment variable RSYNC_PROXY to the host of the proxy and also the port. Let's say you are running a proxy on 192.168.1.1 and port 8080, then you need to run …

NVidia Legacy Unix Driver Update

NVidia has released an updated legacy drivers to support X.Org 1.19 with ABI 23. It has been mentioned in the UNIX drivers, but you can directly find the drivers from the links below:
NVidia 304.134 (x86x86_64)NVidia 340.101 (x86, x86_64) I have tested the 304.134 driver and it's working great here. I can finally remove x from my /etc/slackpkg/blacklist file since it's a showstopper for me.
Aside from legacy driver, NVidia has also released their latest driver 375.26 (x86, x86_64), which brings support for newer cards and also many new features (including X.Org 1.19 with ABI 23 support). 

Security Update: firefox, irssi, pidgin

Three security updates were released for today:
firefox: Upgraded to 45.4.0esr for 14.1 and 14.2 and 49.0 for currentirssi: Upgraded to 0.8.20pidgin: Upgraded to 2.10.11, 2.10.12, and 2.11.0 for all stable Slackware releases depending on their support Some minor update in current:
mkinitrd: Add dmsetup supportemacs: Upgraded to 25.1qt: Fix multilib issue network-scripts: Fix minor issue