Set up Yubikey for Passwordless Sudo Authentication

Passwordless auth with Yubico 5 NFC on Ubuntu

Resources

Using U2F for passwordless sudo

Prerequisites

sudo apt-get install libpam-u2f
you'll need to setup your yubikey with the yubikey manager prior to doing this tutorial.

Setup

1. Plug-in yubikey and type: mkdir ~/.config/Yubico
   • ignore if the folder already exists
2. type pamu2fcfg > ~/.config/Yubico/u2f_keys to add your yubikey to the list of accepted yubikeys
   • enter your PIN if one if set for the key, then touch the key when the key's light blinks.

3. (optional) Register additional keys with the command: pamu2fcfg -n >> ~/.config/Yubico/u2f_keys

4. type sudo nano /etc/pam.d/sudo (or sudo nvim /etc/pam.d/sudo to use neovim as the text editor) to edit the PAM config for sign-on
   Then type auth sufficient pam_u2f.so before
   @include common-auth

To make this 2FA instead of passwordless authentication with Yubikey

• instead of the final step, adjust the file /etc/pam.d/sudo to include:

@include common-auth
auth       required   pam_u2f.so

Save the file and DO NOT CLOSE THE FILE - CONFIRM that the deployment was successful (see below)

Always confirm success BEFORE closing the edit window in terminal of the pam_u2f.so file

You can test the deployment is successful by opening a new terminal tab or window then running sudo echo SUCCESS

• If you enabled sign-in with yubikey only, then you will see your yubikey flashing for touch input
• If you enabled 2FA with your key, then you will be prompted to enter your password, then the yubikey will flash for touch input.

Once the behaviour works as expected, you may close the terminal windows

Comments

[Chris Clarkson]

Thanks for this, A great walkthough.

For those like me who forget that the Yubikey is set up for this kind of thing you can add a cue to /etc/pam.d/sudo to give you a message, instead of just the paused prompt.

auth sufficient pam_u2f.so cue [cue_prompt="Tap the Yubikey to Sudo"]

Developer Reference has some other good options to add if you need them too

[bashbunni]

Ah I never thought of this. Thank you for sharing!!

[David Savage]

Thank you for this post. I've implemented it and feel more secure ;)
However, there is one gap, namely how to do the same for su. I tried the same process for su but got this message: su: Authentication service cannot retrieve authentication info. Any ideas?

[Niklas]

This is great.

Also, it works pretty similar for polkit, just that it's /etc/pam.d/polkit-1.

[Douglas R Andreani]

this is awesome, thanks

[bashbunni]

I'm so glad it's helpful for you!

[Waylon Walker]

2FA sudo command, so cool

[dffvb]

Will this work over SSH?

[Niklas]

sadly, no. But pam_yubico.so should work.