black USB flash drive

Yubikey for system auth

Linux is a beautiful system that can be customized in very many ways – it amazes me everytime how easy or which features I can add to my system for making life easier for me. Today: Login using the Yubikey.

System Authentication is pretty easy on Linux system if we stick to PAM, which allows us to mix and match authentication methods as we want to. In my case I wanted to tackle ‘su’ or ‘sudo’ to save me entering my passwords over and over again. Our savior is the U2F module named pam_u2f.so which may be in your distro’s repository – I was lucky for Debian and Gentoo.

Configuration is shockingly simple:

In /etc/pam.d/ are the config files for every service – some of those are symlinks, but that doesn’t change things. You should be able to see which config goes for what service. I did go for ‘su’ as I need that on my local workstation way too often.

Let’s have a look at the gentoo default config for ‘su’:

auth            sufficient      pam_rootok.so 
auth            required        pam_wheel.so use_uid 
auth            include         system-auth 
account         include         system-auth 
password        include         system-auth 
session         include         system-auth 
session         required        pam_env.so 
session         optional        pam_xauth.so

In this file you find entries from ‘sufficient’ up to ‘required’ for defining the rules for the PAM modules noted in the 3rd column. So to spice up my config, I added this to my ‘auth’ section:

auth            sufficient      pam_u2f.so cue

By using this line, I tell PAM that it’s ‘sufficient’ if I authenticate using my Yubikey and its PIN. If I would use ‘required’ instead of ‘sufficient’ I’d make it a requirement to authenticate successfully using the Yubikey on top of the password. I seriously do not advise for using ‘required’ on the first test run to make sure you do not lock yourself out of the system!

The parameter ‘cue’ tells the PAM module to merrily print a message to ‘touch the device’. All other parameters are documented on https://developers.yubico.com/pam-u2f/

Sadly we’re not finished yet as we just told PAM that it should use the Yubikey. The system also needs some identification of each Yubikey used and some mapping to their users. That’s done either globally in /etc/u2f_mappings or per user in ~/.ssh/u2f_keys

No matter which way you choose, those files look the same and are set up like this:

<username1>:<KeyHandle1>,<UserKey1>,<Options1>:<KeyHandle2>,<UserKey2>,<Options2>:...
<username2>:<KeyHandle1>,<UserKey1>,<Options1>:<KeyHandle2>,<UserKey2>,<Options2>:...

The key handles are acquired using the following command:

pamu2fcfg -uusername -opam://myorigin -ipam://myappid

Now you can assign the keys to the user.

For testing out the system, there’s no need to reboot or reload anything as PAM reads those files on the fly.

Author:

Leave a Reply

Your email address will not be published. Required fields are marked *