Linux is a beautiful system that can be customized in very many ways – it amazes me everytime how easy or which features I can add to my system for making life easier for me. Today: Login using the Yubikey.
System Authentication is pretty easy on Linux system if we stick to PAM, which allows us to mix and match authentication methods as we want to. In my case I wanted to tackle ‘su’ or ‘sudo’ to save me entering my passwords over and over again. Our savior is the U2F module named pam_u2f.so which may be in your distro’s repository – I was lucky for Debian and Gentoo.
Configuration is shockingly simple:
In /etc/pam.d/ are the config files for every service – some of those are symlinks, but that doesn’t change things. You should be able to see which config goes for what service. I did go for ‘su’ as I need that on my local workstation way too often.
Let’s have a look at the gentoo default config for ‘su’:
auth sufficient pam_rootok.so auth required pam_wheel.so use_uid auth include system-auth account include system-auth password include system-auth session include system-auth session required pam_env.so session optional pam_xauth.so
In this file you find entries from ‘sufficient’ up to ‘required’ for defining the rules for the PAM modules noted in the 3rd column. So to spice up my config, I added this to my ‘auth’ section:
auth sufficient pam_u2f.so cue
By using this line, I tell PAM that it’s ‘sufficient’ if I authenticate using my Yubikey and its PIN. If I would use ‘required’ instead of ‘sufficient’ I’d make it a requirement to authenticate successfully using the Yubikey on top of the password. I seriously do not advise for using ‘required’ on the first test run to make sure you do not lock yourself out of the system!
The parameter ‘cue’ tells the PAM module to merrily print a message to ‘touch the device’. All other parameters are documented on https://developers.yubico.com/pam-u2f/
Sadly we’re not finished yet as we just told PAM that it should use the Yubikey. The system also needs some identification of each Yubikey used and some mapping to their users. That’s done either globally in /etc/u2f_mappings or per user in ~/.ssh/u2f_keys
No matter which way you choose, those files look the same and are set up like this:
The key handles are acquired using the following command:
pamu2fcfg -uusername -opam://myorigin -ipam://myappid
Now you can assign the keys to the user.
For testing out the system, there’s no need to reboot or reload anything as PAM reads those files on the fly.