Yubikey for Turris Omnia LuCI/Foris login 2-Factor Authentication


I would like to somehow use a Yubikey to authenticate my Luci logins (2-factor authentication). I have followed this setup guide to require an inserted Yubikey for my Ubuntu logins.


Could anyone help replicate the same setup but for LuCI login? I see that the libpam package is installed in LuCI, so maybe it is possible?

Just out of curiosity - why would one need to have token based second factor authentication for web access?
In case of hardening remote (WAN) access I’d rather only allow devices that are connected through VPN (OpenVPN or wireguard) to the LAN-side.
And in case of local access (e.g. business or private network) I’d rather create isolated network (e.g. separate SSID, maybe separate VLAN) only I myself have access to.
That way you already have a hardened second factor you authenticate with (‘logical’ access to TO).
Don’t get me wrong, I myself am using yubikey to protect my keepass password safe (in combination with a short time window for its unlocked status), but I don’t see how another time touching it increases my security. In my eyes that only increases complexity…

Hey ssdnvv, thanks for the reply.

To answer your question, I don’t know why one would want to have to use the yubikey in order to be granted web access. That to me does sound like an additional layer of complexity that may not actually improve security.

However, what I would like to do is require the yubikey for my Turris Omnia router’s GUI access. Either for Foris or LuCI, or both.

I’ve seen others on the web who have managed to get yubikey working for OpenVPN access second factor authentication, but that is not what I’m looking for here.

Something else that I would like, but I’m not sure if it is possible, would be to use a hardware token like the yubikey to turn on/off functionalities of the router. For example, when the yubikey is plugged into the router, the router is fully functional (wifi is on, LAN/WAN functioning, etc.). But when the yubikey is not present, only the basic data collection functionality of the router is turned on. So, maybe this would be some sort of dynamic firewall script or configuration that opens/closes ports based on the presence of the yubikey/hardware token.

I would like this setup because I want my router on 24/7 for the data collection purposes of the Turris Omnia and HaaS proxy project, but I only want to allow internet access to any of my devices on LAN/Wifi when I am present in my home.

Then again, now that I think about your question - would it be possible to use a yubikey’s challenge response functionality or OTP to replace wifi password?

Also, using the yubikey as second factor authentication for root SSH access would be nice.

Any help with this would be appreciated.

Ok, thanks for the explanation.