Prerequisites

This method will work with ANY security keys that support the U2F standard Including but Not limited to Yubikeys, Titan Security Keys etc.

ALL models of Yubikey support U2F.

  • A Security key supporting the U2F Standard
  • A Linux Box
  • root access to the System you are gonna configure 2FA for
  • Some free time

Download the pam-u2f Package

Depending on your distro the package might be called something else, here are commands for some common distros

  • Debian/Ubuntu Linux
sudo apt update && sudo apt install libpam-u2f
  • Arch Linux
sudo pacman -Sy pam-u2f
  • Fedora Linux
sudo dnf install pam-u2f

Configure Security keys for Users

The pam-u2f package provides a handy tool to configure Security Keys for our users called pamu2fcfg

We have two choices here to save the configuration files for our users

Individual Configuration File

We can create Individual configuration files for each user owned by themselves and thus would allow them to freely add or modify keys withut root privileges, This type of setup is preffered if the user home directories are available at login. (E.g No encryption)

Create the configuration file

Create a blank config file using

mkdir ~/.config/Yubico && touch ~/.config/Yubico/u2f_keys

Add User Keys

Use the config tool pamu2fcfg to configure your keys

pamu2fcfg -u <USER> -o <ORIGIN ID> -i <APP ID> | tee ~/.config/Yubico/u2f_keys

Example

pamu2fcfg -u ashu -opam://ashu.io -ipam://ashu.io | tee ~/.config/Yubico/u2f_keys

Add Additional keys using

pamu2fcfg -n -u <USER> -o <ORIGIN ID> -i <APP ID> | tee -a ~/.config/Yubico/u2f_keys

Example

pamu2fcfg -n -u ashu -opam://ashu.io -ipam://ashu.io | tee -a ~/.config/Yubico/u2f_keys

Central Configuration File

We can create a single configuration file for all our users which helps in centalised management but with this method only the user root is able to write changes to it and thus changing or updating of keys requires root priveleges.

This is however necessary sometimes e.g when having encrypted user home directories which only unlock AFTER login.

You can place this configuration file anywhere on the system.

Create the configuration file

Use the touch command to create a blank cnfig file

sudo touch /etc/pamu2f.cfg

You can grant permission to users to write to this config file to allow them to edit their keys but this also exposes all the keys of the users and also give them the ability to delete to modify and hence is STRONGLY discouraged on multi user systems.

Add User Keys

Now that we have a config file we can start adding user Yubikeys to that file.

To configure a Yubikey for a user Insert the Yubikey and run

echo $(pamu2fcfg -u <USER> -o <ORIGIN ID> -i <APP ID>) | sudo tee -a <Path to config file>

Example

echo $(pamu2fcfg -u ashu -opam://ashu.io -ipam://ashu.io) | sudo tee -a /etc/pamu2f.cfg

To add additional keys for a user append the output of the following to user’s line in the configuration file

pamu2fcfg -n -u <USER> -o <ORIGIN ID> -i <APP ID> | tee -a <Path to config file>

Enable the pam_u2f.so module in PAM

Depending on which service we want to use 2FA on we can add the following line to it’s config file

auth sufficient pam_u2f.so authfile=<Path to config file> appid=<APP ID> origin=<Origin ID> nouserok cue [cue_prompt=<Prompt we want to show to our users>]

Example

auth sufficient pam_u2f.so authfile=/etc/pamu2f.cfg appid=pam://ashu.io origin=pam://ashu.io nouserok cue [cue_prompt="Please touch your Yubikey to Autheticate"]

In our case we will add this line as out last line in the auth section of the following files in the /etc/pam.d/ directory:

  • sddm : Login manager for KDE
  • sudo : 2FA for sudo command line utility
  • login : CLI logins through tty
  • su : 2FA for the su command line utility

Note: Configuration files might be named differently depending on your distro

Example

sddm config file BEFORE adding u2f

auth		include		system-login
-auth		optional	pam_gnome_keyring.so
-auth       optional    pam_kwallet5.so
account		include		system-login

password	include		system-login
-password	optional	pam_gnome_keyring.so use_authtok

session		optional	pam_keyinit.so force revoke
session		include		system-login
-session	optional	pam_gnome_keyring.so auto_start
-session    optional    pam_kwallet5.so auto_start

sddm config file AFTER adding u2f

auth		include		system-login
-auth		optional	pam_gnome_keyring.so
-auth       optional    pam_kwallet5.so
auth        sufficient  pam_u2f.so authfile=/etc/pamu2f.cfg appid=pam://ashu.io origin=pam://ashu.io nouserok cue [cue_prompt="Please touch your Yubikey to Autheticate"]
account		include		system-login

password	include		system-login
-password	optional	pam_gnome_keyring.so use_authtok

session		optional	pam_keyinit.so force revoke
session		include		system-login
-session	optional	pam_gnome_keyring.so auto_start
-session    optional    pam_kwallet5.so auto_start

Note: Some Login methods like sddm will NOT show you the prompt to insert or touch your Yubikey

Passwordless sudo with U2F

You can use Yubikey for Passwordless sudo i.e only the Yubikey would be needed to run sudo commands

We can achieve this by editing the /etc/pam.d/sudo file

Add the following line to the TOP of the sudo file

auth sufficient pam_u2f.so authfile=<Path to config file> appid=<APP ID> origin=<Origin ID> cue [cue_prompt=<Prompt we want to show to our users>]

Example sudo file WITH passwordless enabled

auth		sufficient 	pam_u2f.so authfile=/etc/pamu2f.cfg [cue_prompt=Please Confirm Your Identity.] cue origin=pam://ashu.io appid=pam://ashu.io
auth		include		system-auth
account		include		system-auth
session		include		system-auth

Let me know if i missed anything.