Linux Login with Yubikey NEO

YubiKey NEO

Software Installation

We don’t need YubiKey NEO Manager, since November 2015 YubiKeys are shipped with all modes of operations alreeady already enabled by default.

$ sudo apt install yubikey-personalization-gui \
      yubioath-desktop \


There are two possible ways of Linux system login with Yubikeys via PAM.

  • Online authentication via Yubico company API servers (the default);
  • Offline challenge-response authentication with HMAC-SHA1

Change the PAM configuration for Yubikeys:

$ sudo dpkg-reconfigure libpam-yubico

When asked, change the configuration line to the following:

│ Parameters for Yubico PAM:
│     mode=challenge-response

This way the Linux authentication module, works in off-line mode, without any 3rd-party authentication servers involved.

Next, we can select which PAM modules should be activated. The first option Yubico authentication with YubiKey should not be enabled just yet, as the Yubikey is not ready at this point:

│ PAM profiles to enable:
│    [ ] Yubico authentication with YubiKey
│    [*] Unix authentication
│    [*] Register user sessions in the systemd control group hierarchy
│    [ ] Create home directory on login
│    [*] GNOME Keyring Daemon - Login keyring management
│    [*] Inheritable Capabilities Management

Prepare configuration slot #2 of your Yubikey for challenge repsonse authentication:

Start the Yubikey Personalization Tool. Select Challenge-Response in the top menu of the window. Select the HMAC-SHA1 challenge-response mode.

YubiKey NEO Personalization Tool

Select Configuration Slot 2

YubiKey NEO Personalization Tool

Each Yubikey has a unique token ID. This ID is used to identify the owners of each individual Yubikey as user IDs on the system.

Mapping individual Yubikeys to Linux system user-IDs is done in the file /etc/yubikey_mappings:

<first user name>:<Yubikey token ID1>:<Yubikey token ID2>:….
<second user name>:<Yubikey token ID3>:<Yubikey token ID4>:….