Single sign-on with Yubico YubiKey

This tutorial will explain configuring Yubico YubiKeys for single sign-on to Pritunl. Users will authenticate with a YubiKey when downloading VPN profiles and before each VPN connection. YubiKey must be used in combination with another single sign-on provider. VPN re-connections will not require a YubiKey authentication, this can be changed with the Two-Step Authentication Cache settings. The Yubico authentication uses Yubico OTP. Any YubiKey supporting this can be used including the YubiKey 4, YubiKey 4 Nano, YubiKey 4C and YubiKey Neo.

Purchase YubiKeys

YubiKeys can be purchased with Amazon Prime. All the YubiKeys below are supported.

Get Yubico API Key

The Yubico OTP servers require an API key. This can be generated at upgrade.yubico.com/getapikey


Configure Pritunl

After generating a Yubico API key open the Pritunl settings and set Single Sign-On to one of the Yubico modes. Then copy the Integration key to Duo Integration Key, Secret key to Duo Secret Key and API hostname to Duo API Hostname.


Custom Yubico API Servers

By default the offical YubiCloud API servers are used to validate YubiKeys. The servers can be changed by running the command pritunl set app.sso_yubico_servers '["https://server0", "https://server1"]'