Yubikey is a hardware security device. You can use it for two-factor authentication. Here is an example setup for two-factor login for Ubuntu Linux. I recommend to use at least two Yubikeys. One primary and the second one as a backup device.
I used mostly the official HowTo for this: https://support.yubico.com/hc/en-us/articles/360016649099-Ubuntu-Linux-Login-Guide-U2F
1. Setup
First add the yubico repository:
sudo add-apt-repository ppa:yubico/stable && sudo apt-get update
Now install libpam-u2f:
sudo apt install libpam-u2f
mkdir -p ~/.config/Yubico
Insert first Yubikey
pamu2fcfg > ~/.config/Yubico/u2f_keys
When your Yubikey starts flashing just touch the metal part.
Remove the first Yubikey and insert the second one:
pamu2fcfg -n >> ~/.config/Yubico/u2f_keys
Now we move the file to a more secure location.
sudo mkdir /etc/Yubico sudo mv ~/.config/Yubico/u2f_keys /etc/Yubico/u2f_keys
2. Test with sudo command
I recommend to open a second terminal with a root session (sudo su).
Edit ‘/etc/pam.d/sudo’
sudo vim /etc/pam.d/sudo
And insert the line below just after the line ‘@include common-auth’:
auth required pam_u2f.so authfile=/etc/Yubico/u2f_keys
Save the file and test with a _new_ terminal.
You can try “sudo echo test” (Like in the offical documentation)
If try without your Yubikey this should fail even with your correct password.
Now try again with your Yubikey. After you entered your password the Led of your Yubikey should flashing. Just touch the metal contact and your command should be executed.
You may want to repeat this with your backup Yubikey
3. Use for other components
You can add this line ‘auth required pam_u2f.so authfile=/etc/Yubico/u2f_keys’ to other pam.d files to use u2f for more as just for sudo.
‘/etc/pam.d/login’ for TTY or ‘/etc/pam.d/gdm-password’ (or ‘/etc/pam.d/lightdm’)
4. Or enabling 2FA for all authentication
Edit ‘/etc/pam.d/common-auth’:
vim /etc/pam.d/common-auth
and insert this line at the bottom of the file:
auth required pam_u2f.so nouserok authfile=/etc/Yubico/u2f_keys cue
You may don’t need the ‘nouserok’ option. With this option Users with no assigned Yubikey are still able to login. If you remove this option only Users with a Yubikey are able to log on.
The ‘cue’ option will promt a message ‘Please touch the device’.
5. No second factor for sudo
Create a second common-auth:
sudo cp /etc/pam.d/common-auth /etc/pam.d/common-auth-no2fa
Now edit ‘common-auth-no2fa’ and remove the line with ‘auth required pam_u2f.so nouserok authfile=/etc/u2f_keys cue’. Now it should be the original file again.
Edit ‘/etc/pam.d/sudo’ and make sure you removed the ‘auth required pam_u2f.so authfile=/etc/Yubico/u2f_keys’ line and replace ‘@include common-auth’ with ‘@include common-auth-no2fa’
Now you can execute sudo again just with your password but for everything (Login etc.) else the Yubikey is required.
6. 3D-printed Case for your Yubikey
I used Yubikey 5 NFC Sticks and printed a simple cover for them.
You can found it on Thingiverse.
If you don’t like this one you can find more on Thingiverse.