Passwordless auth with Yubico 5 NFC on Ubuntu
Resources
Using U2F for passwordless sudo
Prerequisites
sudo apt-get install libpam-u2f
you'll need to setup your yubikey with the yubikey manager prior to doing this tutorial.
Setup
- Plug-in yubikey and type:
mkdir ~/.config/Yubico
- ignore if the folder already exists
- type
pamu2fcfg > ~/.config/Yubico/u2f_keys
to add your yubikey to the list of accepted yubikeys- enter your PIN if one if set for the key, then touch the key when the key's light blinks.
(optional) Register additional keys with the command:
pamu2fcfg -n >> ~/.config/Yubico/u2f_keys
type
sudo nano /etc/pam.d/sudo
(orsudo nvim /etc/pam.d/sudo
to use neovim as the text editor) to edit the PAM config for sign-on
Then typeauth sufficient pam_u2f.so
before
@include common-auth
To make this 2FA instead of passwordless authentication with Yubikey
- instead of the final step, adjust the file
/etc/pam.d/sudo
to include:
@include common-auth
auth required pam_u2f.so
Save the file and DO NOT CLOSE THE FILE - CONFIRM that the deployment was successful (see below)
Always confirm success BEFORE closing the edit window in terminal of the pam_u2f.so file
You can test the deployment is successful by opening a new terminal tab or window then running sudo echo SUCCESS
- If you enabled sign-in with yubikey only, then you will see your yubikey flashing for touch input
- If you enabled 2FA with your key, then you will be prompted to enter your password, then the yubikey will flash for touch input.
Once the behaviour works as expected, you may close the terminal windows
Top comments (9)
Thanks for this, A great walkthough.
For those like me who forget that the Yubikey is set up for this kind of thing you can add a cue to
/etc/pam.d/sudo
to give you a message, instead of just the paused prompt.auth sufficient pam_u2f.so cue [cue_prompt="Tap the Yubikey to Sudo"]
Developer Reference has some other good options to add if you need them too
Ah I never thought of this. Thank you for sharing!!
Thank you for this post. I've implemented it and feel more secure ;)
However, there is one gap, namely how to do the same for
su
. I tried the same process for su but got this message:su: Authentication service cannot retrieve authentication info
. Any ideas?This is great.
Also, it works pretty similar for polkit, just that it's
/etc/pam.d/polkit-1
.this is awesome, thanks
I'm so glad it's helpful for you!
2FA sudo command, so cool
Will this work over SSH?
sadly, no. But pam_yubico.so should work.