Ubuntu Yubikey U2F Auth

Yubikey is a hardware security device. You can use it for two-factor authentication. Here is an example setup for two-factor login for Ubuntu Linux. I recommend to use at least two Yubikeys. One primary and the second one as a backup device.

I used mostly the official HowTo for this: https://support.yubico.com/hc/en-us/articles/360016649099-Ubuntu-Linux-Login-Guide-U2F

1. Setup

First add the yubico repository:

sudo add-apt-repository ppa:yubico/stable && sudo apt-get update

Now install libpam-u2f:

sudo apt install libpam-u2f
mkdir -p ~/.config/Yubico

Insert first Yubikey

pamu2fcfg > ~/.config/Yubico/u2f_keys

When your Yubikey starts flashing just touch the metal part.

Remove the first Yubikey and insert the second one:

pamu2fcfg -n >> ~/.config/Yubico/u2f_keys

Now we move the file to a more secure location.

sudo mkdir /etc/Yubico
sudo mv ~/.config/Yubico/u2f_keys /etc/Yubico/u2f_keys

2. Test with sudo command

I recommend to open a second terminal with a root session (sudo su).

Edit ‘/etc/pam.d/sudo’

sudo vim /etc/pam.d/sudo

And insert the line below just after the line ‘@include common-auth’:

auth       required   pam_u2f.so authfile=/etc/Yubico/u2f_keys

Save the file and test with a _new_ terminal.

You can try “sudo echo test” (Like in the offical documentation)

If try without your Yubikey this should fail even with your correct password.

Now try again with your Yubikey. After you entered your password the Led of your Yubikey should flashing. Just touch the metal contact and your command should be executed.

You may want to repeat this with your backup Yubikey

3. Use for other components

You can add this line ‘auth required pam_u2f.so authfile=/etc/Yubico/u2f_keys’ to other pam.d files to use u2f for more as just for sudo.

‘/etc/pam.d/login’ for TTY or ‘/etc/pam.d/gdm-password’ (or ‘/etc/pam.d/lightdm’)

4. Or enabling 2FA for all authentication

Edit ‘/etc/pam.d/common-auth’:

vim /etc/pam.d/common-auth

and insert this line at the bottom of the file:

auth    required   pam_u2f.so nouserok authfile=/etc/Yubico/u2f_keys cue

You may don’t need the ‘nouserok’ option. With this option Users with no assigned Yubikey are still able to login. If you remove this option only Users with a Yubikey are able to log on.

The ‘cue’ option will promt a message ‘Please touch the device’.

5. No second factor for sudo

Create a second common-auth:

sudo cp /etc/pam.d/common-auth /etc/pam.d/common-auth-no2fa

Now edit ‘common-auth-no2fa’ and remove the line with ‘auth required pam_u2f.so nouserok authfile=/etc/u2f_keys cue’. Now it should be the original file again.

Edit ‘/etc/pam.d/sudo’ and make sure you removed the ‘auth required pam_u2f.so authfile=/etc/Yubico/u2f_keys’ line and replace ‘@include common-auth’ with ‘@include common-auth-no2fa’

Now you can execute sudo again just with your password but for everything (Login etc.) else the Yubikey is required.

6. 3D-printed Case for your Yubikey

I used Yubikey 5 NFC Sticks and printed a simple cover for them.
You can found it on Thingiverse.


If you don’t like this one you can find more on Thingiverse.

Schreibe einen Kommentar

eMail-Benachrichtigung bei weiteren Kommentaren.
Auch möglich: Abo ohne Kommentar.

Diese Website verwendet Akismet, um Spam zu reduzieren. Erfahre mehr darüber, wie deine Kommentardaten verarbeitet werden.