The U2F libraries are now deprecated and no longer maintained. We highly recommend transitioning to the FIDO2 libraries for enhanced security and compatibility.
|
C
|
|
|
Java
|
|
|
Python
|
|
|
\.NET
|
The U2F libraries are now deprecated and no longer maintained. We highly recommend transitioning to the FIDO2 libraries for enhanced security and compatibility.
|
C
|
|
|
Java
|
|
|
Python
|
|
|
\.NET
|
This walk-through describes how to integrate the Yubico Universal Second Factor (U2F) protocol with your application or framework.
There are three methods for integrating Yubico authentication using the U2F protocol. For the purposes of this walk-through we describe the Plugin method.
Store and access U2F artifacts yourself.
On your product or company server, configure for using Yubico U2F with a plugin. See Plugins.
Select from the listed Github options and follow the steps for the plugin you choose.
The PAM plugin requires Yubico U2F libu2f-host-dev and libu2f-server-dev libraries.
Debian
apt-get install autoconf automake libtool pkg-config libu2f-host-dev libu2f-server-dev --no-install-recommends
From a tarball
./configure make
Build from Git
Check out sources:
git clone git://github.com/Yubico/pam-u2f.git
Create directory, for example: pam-u2f
cd pam-u2f
Install libraries
Debian
apt-get install autoconf automake libtool libpam-dev libu2f-host-dev libu2f-server-dev asciidoc xsltproc libxml2-utils docbook-xml --no-install-recommends
Generate build system
autoreconf --install
Copy the file, pam_u2f to the /lib/…/security directory.
./configure --with-pam-dir=
Create a file for the new service
auth sufficient pam_u2f.so debug
Choose between individually manged by user, or centrally-managed.
Individually managed by user
Each user performs these steps on their home directory.
Create directory and file
.config/Yuibico/u2f_keys
Add content to file
<username>:<KeyHandle1>,<UserKey1>:<KeyHandle2>,<UserKey2>:...
Centrally managed users
Create mapping file, for example: /etc/u2f_mappings
<username1>:<KeyHandle1>,<UserKey1>:<KeyHandle2>,<UserKey2>:... <username2>:<KeyHandle1>,<UserKey1>:<KeyHandle2>,<UserKey2>:...
Add file to PAM configuration line
auth sufficient pam_u2f.so authfile=/etc/u2f_mappings
pamu2fcfg -uusername -opam://myorigin -ipam://myappid
View and download the relevant plug-in components.
PAM – Yubico-provided pam-u2f
GitHub – Variety of third-party plugins
View and download the relevant Yubico library components.
C – libu2f-server
Java – java-u2flib-server
PHP – php-u2flib-server
Python – python-u2flib-server
Python – u2fval-client-python
PHP – u2fval-client-php
Python – python-u2flib-host
C – libu2f-host
All Yubico devices attestation certificates are signed by the Yubico root CA.
Yubico devices provide additional device information in the mapping attestation certificate. This is used by several of the U2F server libraries.See Attestation and metadata.
Specify the Facet ID, that is the platform-specific identifier (URI) for your application, where the Facet is how an application is implemented on a platform, such as Android app or Web app.
Single-facet app
Example
https://example.com
Multi-facet app
Include all facets in an HTTPS resolvable file.
Example
https://example.com/app-id.json
Sample JSON file
{ "trustedFacets" : [{
"version": { "major": 1, "minor" : 0 },
"ids": [
"https://login.example.com",
"https://secure.example.com",
"android:apk-key-hash:585215fd5153209a7e246f53286035838a0be227"
]
}]
}
Submit your module to YubiKey OTP Validation Server, https:..developers.yubico.com/yubikey-val.