Skip to content

U2F for Linux Authentication (Ubuntu/Mint/...)

Two-factor (U2F) login

Warning: Be aware that if you mess things up, or don’t have your U2F stick handy after you finish configuring U2F on your workstation you’ll be locked out! If you are not comfortable working with the terminal, you are not ready to do this!

This tutorial used a Yubikey 4 (see image), but is entirely general and should be usable with just any U2F device for any manufacturer.

 

First, you’ll need to install the required software for U2F authentication on your machine:

$ sudo apt-get install libpam-u2f pamu2fcfg

Next you’ll need to generate your U2F mappings file. Insert your key and touch the button once the LED on your Yubikey starts blinking:

$ pamu2fcfg -u $USER > /tmp/u2f_mappings

Move the file into /etc using elaborated rights:

$ sudo mv /tmp/u2f_mappings /etc/u2f_mappings

Now, you are ready to configure your system to use your key for authentication. The available services can be seen using:

$ ls /etc/pam.d

As an example, I will show how to setup U2F for the mate-screensaver.

Add the following line to /etc/pam.d/mate-screensaver:

auth required pam_u2f.so authfile=/etc/u2f_mappings cue

When you lock your screen now, you have to have the U2F key at hand to log into your system:

In case it didn't work for you, you can still switch to a virtual console (press F1), remove the added line and try again.

Recommended: Protect sudo

Once you have yourself familiarized with the two-factor authorization on your computer, you can extend its scope to other services like sudo. Add the aforementioned line:

auth required pam_u2f.so authfile=/etc/u2f_mappings cue

to /etc/pam.d/sudo to enable two-factor authorization for sudo (see the "Please touch the device." line):

Optional: Make U2F authorization sufficient

You can also disable the need for a password (U2F authorization is sufficient). Add this line as the first line in the corresponding pam.d file (e.g. /etc/pam.d/mate-screensaver):

auth sufficient pam_u2f.so authfile=/etc/u2f_mappings cue

You can now either use your password (if no U2F key is present) or the U2F device without the need for a password. Note that this is, of course, not a two-factor setup.

Trackbacks

Keine Trackbacks

Kommentare

Ansicht der Kommentare: Linear | Verschachtelt

Noch keine Kommentare

Die Kommentarfunktion wurde vom Besitzer dieses Blogs in diesem Eintrag deaktiviert.