ThinLinc is a Linux Remote Desktop Server that supports different authentication methods such as Smart cards, Kerberos, Passwords, Public keys and, One Time Password (OTP).
Some ThinLinc users and customers asked if ThinLinc is compatible with Yubikey. Yubikey is a popular device used for two-factor authentication.
If you have experiences with Yubikey, feel free to help. ; )
Hello @muitotri
While Yubikey has a few different methods for authentication (FIDO, OTP, Smartcard etc depending on which kind of Yubikey you have), they one I’ve tried is smartcard authentication.
It was fairly straight forward, using Authentication in ThinLinc with PKCS #15 smart cards as a guide.
After installing opensc and using pkcs15-tool to read the public key of the yubikey, I just had to place the key in authorized_keys as per the guide states above.
Would be interesting to hear if anyone else tried something different ?
/Martin
I have tried to access FIDO2/WebAuthn in Yubico Authenticator version 7, but this is giving an error.
Specifically I’m using ThinLinc to access a remote Linux machine (tried Debian and Arch)
I’m choosing to redirect the Smart Card Readers to send my local Yubikey to the remote machine.
FIDO2/WebAuthn works if I am logged into the Linux machine directly; but when connecting in ThinLinc this doesn’t work. Thinlinc does indeed work with the Yubico Authetnicator Accounts section.
See included image
Any idea how to get FIDO2/WebAuthn to work?
Hi @moonwalk0657, welcome to the forum.
Unfortunately ThinLinc doesn’t currently support forwarding of FIDO-based tokens. This feature is being tracked as bug 8251.
It would be interesting to hear more about your specific requirements, as input for this feature.
Hi Aaron
Thanks for your answer,
Well I’m actually only starting to test Yubikeys and I’m just planning to be using FIDO in a remote session for my personal keys. I use virtual machines at home where I’d be remoting into. I now discovered that connecting locally to a VM over qemu works, and includes the FIDO redirect. So for now I’ll use KVM/qemu as the solution. But if it becomes available in ThinLinc then that could be interesting.
Best regards
m
