#!/bin/bash set -euo pipefail # ============================================================================== # Yubico Tools Installation Script # ============================================================================== # Installs the Yubico suite for YubiKey management and authentication # # Tools Installed: # - YubiKey Manager (GUI) - Configure YubiKey settings, PINs, FIDO2, etc. # - Yubico Authenticator - TOTP/HOTP authenticator using YubiKey # - yubico-piv-tool - PIV (smart card) functionality # # Threat Model: # - Phishing-resistant 2FA with hardware tokens # - Password-less authentication via FIDO2/WebAuthn # - Hardware-backed TOTP codes (can't be stolen from phone) # - PIV/Smart card authentication for SSH, code signing # # Source: https://developers.yubico.com/ # ============================================================================== # Colors readonly GREEN='\033[0;32m' readonly YELLOW='\033[1;33m' readonly RED='\033[0;31m' readonly BLUE='\033[0;34m' readonly NC='\033[0m' log() { echo -e "${GREEN}[INFO]${NC} $*"; } warn() { echo -e "${YELLOW}[WARN]${NC} $*"; } error() { echo -e "${RED}[ERROR]${NC} $*"; exit 1; } header() { echo -e "${BLUE}=== $* ===${NC}"; } INSTALL_DIR="${HOME}/opt/yubico" SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" header "Yubico Tools Installation" echo "" echo "This script will install:" echo " 1. YubiKey Manager Qt (AppImage)" echo " 2. Yubico Authenticator (for TOTP/HOTP)" echo " 3. yubico-piv-tool (PIV/Smart Card support)" echo "" echo "Install location: $INSTALL_DIR" echo "" read -p "Continue? [Y/n]: " confirm [[ "${confirm:-Y}" =~ ^[Nn] ]] && exit 0 # ============================================================================== # Install Dependencies # ============================================================================== header "Installing Dependencies" log "Installing system packages for smart card and YubiKey support..." sudo apt update sudo apt install -y \ pcscd \ libpcsclite1 \ libpcsclite-dev \ swig \ libccid \ libfuse2 \ libu2f-udev \ yubikey-personalization \ python3-pip \ python3-venv \ qtwayland5 \ libqt5waylandclient5 # Start pcscd service log "Enabling pcscd service..." sudo systemctl enable pcscd sudo systemctl start pcscd # ============================================================================== # Create Install Directory # ============================================================================== mkdir -p "$INSTALL_DIR" cd "$INSTALL_DIR" # ============================================================================== # Install YubiKey Manager Qt (AppImage) # ============================================================================== header "Installing YubiKey Manager Qt" MANAGER_URL="https://developers.yubico.com/yubikey-manager-qt/Releases/yubikey-manager-qt-latest-linux.AppImage" log "Downloading from: $MANAGER_URL" curl -L -o yubikey-manager.AppImage "$MANAGER_URL" chmod +x yubikey-manager.AppImage # Create desktop entry log "Creating desktop entry..." mkdir -p ~/.local/share/applications cat > ~/.local/share/applications/yubikey-manager.desktop << EOF [Desktop Entry] Name=YubiKey Manager Comment=Configure your YubiKey Exec=env QT_QPA_PLATFORM=xcb ${INSTALL_DIR}/yubikey-manager.AppImage Icon=yubikey-manager Type=Application Categories=Utility;Security; Terminal=false EOF log "✅ YubiKey Manager installed" # ============================================================================== # Install Yubico Authenticator # ============================================================================== header "Installing Yubico Authenticator" AUTH_URL="https://developers.yubico.com/yubioath-flutter/Releases/yubico-authenticator-latest-linux.tar.gz" log "Downloading from: $AUTH_URL" curl -L -o yubico-authenticator.tar.gz "$AUTH_URL" tar -xzf yubico-authenticator.tar.gz rm yubico-authenticator.tar.gz # Find extracted directory (version varies) AUTH_DIR=$(find . -maxdepth 1 -type d -name "yubico-authenticator*" | head -1) if [ -n "$AUTH_DIR" ]; then mv "$AUTH_DIR" authenticator # Create desktop entry cat > ~/.local/share/applications/yubico-authenticator.desktop << EOF [Desktop Entry] Name=Yubico Authenticator Comment=TOTP/HOTP authenticator for YubiKey Exec=${INSTALL_DIR}/authenticator/authenticator Icon=yubico-authenticator Type=Application Categories=Utility;Security; Terminal=false EOF log "✅ Yubico Authenticator installed" else warn "Could not find authenticator directory after extraction" fi # ============================================================================== # Install yubico-piv-tool # ============================================================================== header "Installing yubico-piv-tool" PIV_URL="https://developers.yubico.com/yubico-piv-tool/Releases/yubico-piv-tool-latest.tar.gz" log "Downloading from: $PIV_URL" curl -L -o yubico-piv-tool.tar.gz "$PIV_URL" tar -xzf yubico-piv-tool.tar.gz rm yubico-piv-tool.tar.gz # Find extracted directory PIV_DIR=$(find . -maxdepth 1 -type d -name "yubico-piv-tool*" | head -1) if [ -n "$PIV_DIR" ]; then mv "$PIV_DIR" piv-tool # Add to PATH hint log "piv-tool binaries at: ${INSTALL_DIR}/piv-tool/bin/" log "✅ yubico-piv-tool installed" else warn "Could not find piv-tool directory after extraction" fi # ============================================================================== # Create launch scripts # ============================================================================== header "Creating Launch Scripts" mkdir -p ~/bin # YubiKey Manager launcher (use xcb backend for Wayland compatibility) cat > ~/bin/yubikey-manager << EOF #!/bin/bash # Use xcb (X11) backend - more reliable than Wayland for this AppImage export QT_QPA_PLATFORM=xcb exec ${INSTALL_DIR}/yubikey-manager.AppImage "\$@" EOF chmod +x ~/bin/yubikey-manager # Yubico Authenticator launcher cat > ~/bin/yubico-auth << EOF #!/bin/bash exec ${INSTALL_DIR}/authenticator/authenticator "\$@" EOF chmod +x ~/bin/yubico-auth log "✅ Launch scripts created in ~/bin/" # ============================================================================== # Verify Installation # ============================================================================== header "Verifying Installation" echo "" echo "Installed components:" [ -f "$INSTALL_DIR/yubikey-manager.AppImage" ] && echo " ✅ YubiKey Manager AppImage" || echo " ❌ YubiKey Manager" [ -d "$INSTALL_DIR/authenticator" ] && echo " ✅ Yubico Authenticator" || echo " ❌ Yubico Authenticator" [ -d "$INSTALL_DIR/piv-tool" ] && echo " ✅ yubico-piv-tool" || echo " ❌ yubico-piv-tool" systemctl is-active --quiet pcscd && echo " ✅ pcscd service running" || echo " ⚠️ pcscd service not running" # Check for YubiKey echo "" log "Checking for connected YubiKey..." if lsusb | grep -qi "yubico\|yubikey"; then echo " ✅ YubiKey detected!" lsusb | grep -i "yubico\|yubikey" else warn "No YubiKey detected. Plug one in to use the tools." fi # ============================================================================== # Usage Instructions # ============================================================================== echo "" header "Installation Complete" echo "" echo "Usage:" echo " yubikey-manager - Launch YubiKey Manager GUI" echo " yubico-auth - Launch Yubico Authenticator" echo "" echo "YubiKey Manager can:" echo " - Reset and configure YubiKey" echo " - Manage FIDO2 PIN" echo " - Configure OTP slots" echo " - Manage PIV certificates" echo "" echo "Yubico Authenticator:" echo " - Store TOTP/HOTP codes on YubiKey" echo " - Codes stored in hardware (phishing-resistant)" echo " - Scan QR codes to add accounts" echo "" echo "PIV Tool (command line):" echo " ${INSTALL_DIR}/piv-tool/bin/yubico-piv-tool --help" echo "" echo "📖 Documentation: https://developers.yubico.com/"