Skip to main content
George1pw
November 18, 2022
Question

Can biometric be replaced by a Yubikey as 2F?

  • November 18, 2022
  • 3 replies
  • 170 views

Hello,

Can anyone confirm it is possible to use a Yubikey instead of a biometric to use as second factor with the SSH-Agent?
My T480 still has a lot of millage in it, but unfortunately the fingerprint sensor is not supported in any Linux distro. I followed the instructions on https://developer.1password.com/docs/ssh/ but nothing seems to happen.

I use a key as 2FA when logging in or using sudo. common_auth contains the line

auth required pam_u2f.so nouserok authfile=/etc/u2f_keys cue

Thanks,

George


1Password Version: 8.9.8
Extension Version: Not Provided
OS Version: Ubuntu 22.04
Browser:_ Not Provided

3 replies

George1pw
George1pwAuthor
November 18, 2022

Short answer: yes, it can.
A magical reboot solved everything.

November 23, 2022

The incessant prompting due to "new process always require approval" for those that don't have a stable terminal jump pad - tmux et al.. is driving me insane.

Can you advise which YubiKey you purchased? And once inserted there nothing else I need to do - the prompt resolves automatically without intervention?

Jack_P_1P
1Password Employee
November 29, 2022

Hey @sitepodmatt:

The 1Password SSH agent uses system authentication. On Linux, that would require adding an additional PAM module for the authentication method you're looking for. It's important to keep in mind that even with a different PAM module, you'll still need to take action to confirm the request.

Jack