Yubikey
2FA or passwordless login on Ubuntu
You can use Yubikeys for passwordless logins or as a second factor. The steps to set this up are nearly identical, the differences will be pointed out.
If you do something wrong here, you might lock yourself out of your user account, so be careful, make sure you understand the instructions, follow them carefully and if possible test it on a machine, that you can afford to lose (or at least reinstall/reset to some backup, e.g. a VM) beforehand. Also, things might change between versions, so also check against the linked sources, which I used to set it up.
These are my sources:
- Ubuntu Linux Login Guide - U2F with their linked subpages:
- AskUbuntu to make it passwordless instead of 2FA
But why am I writing this, if you should check my sources? Well, these sources didn’t work out the way I wanted them to, so I had to combine them. Also, I am documenting for myself what I did, in case I want to revert this later.
First, follow 1a to add the PPA. I followed the Using Yubico’s PPA (Ubuntu and derivatives), which you can find if you scroll a little bit down on the page. So, you run:
add-apt-repository ppa:yubico/stable && sudo apt-get update
Afterwards, according to 1b, you run
dpkg -s libu2f-udev
to check, if libu2f-udev
is installed. For me, it was already installed, but if its not, run:
sudo apt install libu2f-udev
Then, add the content of https://github.com/Yubico/libfido2/blob/main/udev/70-u2f.rules to /etc/udev/rules.d/70-u2f.rules
.
Run
sudo udevadm --version
to make sure your udevadm version is greater than 188, otherwise follow the instructions listed on page 1b. If everything looks good, save the file and reboot your system. This will not cause any problem and you can login as before, as there is no yubikey requirement set up yet.
After the reboot, open a terminal and install
sudo apt-get install libpam-u2f
Afterwards, create a directory for your stored keys
mkdir -p ~/.config/Yubico
Then run
pamu2fcfg > ~/.config/Yubico/u2f_keys
to link your Yubikey. You might have to enter your PIN if you set one. When its light starts blinking, tap on the metal button. Now you loaded your Yubikey. To link additional keys, which is especially useful for backup keys if you use this as 2FA (if you only have one key linked and you lose it, you are locked out of your account), run:
pamu2fcfg -n >> ~/.config/Yubico/u2f_keys
Note, that this uses double >
instead of single ones, to append the input instead of replacing it.
If your key begins flashing or asks for a PIN, enter it as you’ve done before.
You can also repeat this step multiple times, if you have more keys.
The official documentation (1) also explained how you can move this file into a safer location (which is only editable by root), which I didn’t do.
Now starts the important part, where you need to make sure to not do something stupid, and for desktop computers, you should ensure reliable power.
Here, we need to decide between
- passwordless, which allows you to log in using only one method, using either your yubikey or your password is sufficient
- 2FA, which always requires your password and the yubikey
Both have their downsides, which I’m not going to elaborate further on here.
If you decide for passwordless, replace required
with sufficient
in the auth required pam_u2f.so
line.
You can also use a mixed version, e.g. using passwordless login for the user account but 2FA for sudo.
We start by editing /etc/pam.d/sudo
.
Thats where I did deviate from the official documentation, as mentioned here (an answer of [2]).
Right before the line @include common-auth
, add (but do not quit your editor yet)
auth required pam_u2f.so
or
auth sufficient pam_u2f.so
depending if you want to use passwordless or 2FA.
The difference to the official documentation is, that it states to put this line after @include common-auth
, which didn’t work for me.
Save the file but keep the editor open, the change will be active directly.
Open a second terminal and run sudo echo test
, to test if your configuration works.
For 2FA, the expected behavior is to ask for your password, submitting it with enter and then requiring you to tap on your yubikey (you will not be prompted, but the key will blink). For passwordless, the expected behavior is to just requiring you to tap your yubikey if it is plugged in, not asking for your password at all, and asking for your password if the yubikey is not plugged in. Remember that sudo sessions might be open for some time, so make sure to test both if you go passwordless and test them each in their own shell session, to not be fooled by “open” sudo sessions.
If everything works, you can continue and close the editor.
In the next step, we will do the same with /etc/pam.d/gdm-password
on Ubuntu 17.10 or never, or /etc/pam.d/lightdm
on Ubuntu 17.04 or older.
This is the change for your user login, so
- do not do this if the step before did not work
- this is the point, where you might want to go a different way if you want to go passwordless for your user login but 2FA for sudo.
As this is basically the same step (add the auth sufficient/required pam_u2f.so
line before @include common-auth
), I will not cover this in detail again.
Afterwards, you can lock your account and test the change, again, this should take immediate effect.
And thats it!