How to sacrifice security using a public YubiKey Linux guides

Image for post
Image for post

This month I moved to YubiKey as a authentication token for my personal daily usage. One of the convents applications of this device it’s a login screen authentication. I found some popular guides how to use YubiKey with a Linux lock screen tools and these guides surprised me.

Please find these guides below:

Let’s look at the suggested udev rules there:

ACTION=="remove|add|change", ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}=="0010", ENV{ID_SERIAL_SHORT}=="0001711399", RUN+="/usr/local/bin/yubikey"


SUBSYSTEM=="usb", ACTION=="remove", ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}="0010", RUN+="/usr/local/bin/yubikey-screen-lock enable"
SUBSYSTEM=="usb", ACTION=="add", ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}=="0010", RUN+="/usr/local/bin/yubikey-screen-lock disable"

Technically it means that any device with a MODEL_ID 0010 and VENDOR_ID 1050 could be used to unlock your screen. In a first case this device should have a special serial id (7 digits) as well. Simplest way to set VENDOR_ID+MODEL_ID is to use the custom firmware like this: for this “super expensive” $10 USB stick

So, it’s completely normal to enable a lock screen with no Yubikey authentication, but it’s extremely bad to disable a lock screen without it.

Please pay your attention to this if you would like to use YubiKey and Linux together for personal authentication. Do not forget that the second factor should be the second after the first one ;)

Let me know please in comments if you would like to have a script to proper authenticate Yubikey during insertion. Cheers!

CEO at Wallarm. Application security platform to prevent threats and discover vulnerabilities in a real-time.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store