Prerequisites
This method will work with ANY security keys that support the U2F standard Including but Not limited to Yubikeys, Titan Security Keys etc.
ALL models of Yubikey support U2F.
- A Security key supporting the U2F Standard
- A Linux Box
- root access to the System you are gonna configure 2FA for
- Some free time
Download the pam-u2f Package
Depending on your distro the package might be called something else, here are commands for some common distros
- Debian/Ubuntu Linux
sudo apt update && sudo apt install libpam-u2f
- Arch Linux
sudo pacman -Sy pam-u2f
- Fedora Linux
sudo dnf install pam-u2f
Configure Security keys for Users
The pam-u2f
package provides a handy tool to configure Security Keys for our users called pamu2fcfg
We have two choices here to save the configuration files for our users
Individual Configuration File
We can create Individual configuration files for each user owned by themselves and thus would allow them to freely add or modify keys withut root privileges, This type of setup is preffered if the user home directories are available at login. (E.g No encryption)
Create the configuration file
Create a blank config file using
mkdir ~/.config/Yubico && touch ~/.config/Yubico/u2f_keys
Add User Keys
Use the config tool pamu2fcfg
to configure your keys
pamu2fcfg -u <USER> -o <ORIGIN ID> -i <APP ID> | tee ~/.config/Yubico/u2f_keys
Example
pamu2fcfg -u ashu -opam://ashu.io -ipam://ashu.io | tee ~/.config/Yubico/u2f_keys
Add Additional keys using
pamu2fcfg -n -u <USER> -o <ORIGIN ID> -i <APP ID> | tee -a ~/.config/Yubico/u2f_keys
Example
pamu2fcfg -n -u ashu -opam://ashu.io -ipam://ashu.io | tee -a ~/.config/Yubico/u2f_keys
Central Configuration File
We can create a single configuration file for all our users which helps in centalised management but with this method only the user root is able to write changes to it and thus changing or updating of keys requires root priveleges.
This is however necessary sometimes e.g when having encrypted user home directories which only unlock AFTER login.
You can place this configuration file anywhere on the system.
Create the configuration file
Use the touch command to create a blank cnfig file
sudo touch /etc/pamu2f.cfg
You can grant permission to users to write to this config file to allow them to edit their keys but this also exposes all the keys of the users and also give them the ability to delete to modify and hence is STRONGLY discouraged on multi user systems.
Add User Keys
Now that we have a config file we can start adding user Yubikeys to that file.
To configure a Yubikey for a user Insert the Yubikey and run
echo $(pamu2fcfg -u <USER> -o <ORIGIN ID> -i <APP ID>) | sudo tee -a <Path to config file>
Example
echo $(pamu2fcfg -u ashu -opam://ashu.io -ipam://ashu.io) | sudo tee -a /etc/pamu2f.cfg
To add additional keys for a user append the output of the following to user’s line in the configuration file
pamu2fcfg -n -u <USER> -o <ORIGIN ID> -i <APP ID> | tee -a <Path to config file>
Enable the pam_u2f.so module in PAM
Depending on which service we want to use 2FA on we can add the following line to it’s config file
auth sufficient pam_u2f.so authfile=<Path to config file> appid=<APP ID> origin=<Origin ID> nouserok cue [cue_prompt=<Prompt we want to show to our users>]
Example
auth sufficient pam_u2f.so authfile=/etc/pamu2f.cfg appid=pam://ashu.io origin=pam://ashu.io nouserok cue [cue_prompt="Please touch your Yubikey to Autheticate"]
In our case we will add this line as out last line in the auth
section of the following files in the /etc/pam.d/
directory:
sddm
: Login manager for KDEsudo
: 2FA forsudo
command line utilitylogin
: CLI logins through ttysu
: 2FA for thesu
command line utility
Note: Configuration files might be named differently depending on your distro
Example
sddm config file BEFORE adding u2f
auth include system-login
-auth optional pam_gnome_keyring.so
-auth optional pam_kwallet5.so
account include system-login
password include system-login
-password optional pam_gnome_keyring.so use_authtok
session optional pam_keyinit.so force revoke
session include system-login
-session optional pam_gnome_keyring.so auto_start
-session optional pam_kwallet5.so auto_start
sddm config file AFTER adding u2f
auth include system-login
-auth optional pam_gnome_keyring.so
-auth optional pam_kwallet5.so
auth sufficient pam_u2f.so authfile=/etc/pamu2f.cfg appid=pam://ashu.io origin=pam://ashu.io nouserok cue [cue_prompt="Please touch your Yubikey to Autheticate"]
account include system-login
password include system-login
-password optional pam_gnome_keyring.so use_authtok
session optional pam_keyinit.so force revoke
session include system-login
-session optional pam_gnome_keyring.so auto_start
-session optional pam_kwallet5.so auto_start
Note: Some Login methods like sddm will NOT show you the prompt to insert or touch your Yubikey
Passwordless sudo with U2F
You can use Yubikey for Passwordless sudo i.e only the Yubikey would be needed to run sudo commands
We can achieve this by editing the /etc/pam.d/sudo
file
Add the following line to the TOP of the sudo file
auth sufficient pam_u2f.so authfile=<Path to config file> appid=<APP ID> origin=<Origin ID> cue [cue_prompt=<Prompt we want to show to our users>]
Example sudo file WITH passwordless enabled
auth sufficient pam_u2f.so authfile=/etc/pamu2f.cfg [cue_prompt=Please Confirm Your Identity.] cue origin=pam://ashu.io appid=pam://ashu.io
auth include system-auth
account include system-auth
session include system-auth
Let me know if i missed anything.