Using Yubikey with PAM module

| 3 min read

I just recently bought a YubiKey 5 NFC as my first USB security token. This security key can verify accounts without passwords or act as proof of user presence. I'm using my YubiKey to password-less unlock 1password and two-factor authentication (2FA) laptop login. 2FA is authenticating with another method other than you used as the first factor, commonly as password. This provides extra security if your password is leaked, breached, or guessed by a hacker[^1].

Universal 2nd Factor (U2F)

Universal 2nd Factor (U2F) is an open standard that strengthens and simplifies two-factor authentication (2FA) using specialized USB or NFC devices based on similar security technology found in smart cards. While initially developed by Google and Yubico, with contribution from NXP Semiconductors, the standard is now hosted by the FIDO Alliance. -- from arch wiki

YubiKey team developed pam_u2f module, also open source at GitHub Yubico/pam-u2f. With pam_u2f, we can easily configure authenticating methods for Linux. Although YubiKey does way more than U2F authenticating (OTP, OpenPGP, ...), this post will only focus on U2F.

Install it on ArchLinux:

pacman -S pam_u2f

Generate a key for user

mkdir ~/.config/Yubico
pamu2fcfg -o pam://hostname -i pam://hostname > ~/.config/Yubico/u2f_keys

pam_u2f looks for key file at $XDG_CONFIG_HOME/Yubico/u2f_keys. If $XDG_CONFIG_HOME is not set, $HOME/.config/Yubico/u2f_keys is used.

Important

Before configuring PAM rules, be sure to back up the current setting and leave a console with edit privilege for PAM files. You may get locked out (since it's too secure) during the process. If this happens, plug your storage device into another computer and fix it. Keep in mind that the order of the auth rules in PAM config matters.

Passwordless Authentication

Here's how to passwordless sudo:

Open /etc/pam.d/sudo and add

auth    sufficient    pam_u2f.so cue origin=pam://hostname appid=pam://hostname

before any auth required or auth include

Passwordless unlock 1password by adding the same line to /etc/pam.d/polkit-1

2nd Factor Authentication

2FA log in to gnome desktop:

Open /etc/pam.d/gdm-password and add

auth    required        pam_u2f.so cue nouserok origin=pam://hostname appid=pam://hostname

after auth lines. nouserok flag is for user that don't have a security key (or can't find u2f_keys in certain path)

OpenSSH 8.2

OpenSSH supports FIDO/U2F hardware tokens natively since 8.2. Both the client and server must support the ecdsa-sk/ed25519-sk key types. Generate a security key backed key pair with:

  • for ECDSA key ssh-keygen -t ecdsa-sk
  • for Ed25519 key ssh-keygen -t ed25519-sk

-- from arch wiki

After generating keys, copy the public key to ~/.ssh/authorized_keys at destination server. Do notice that ssh does not prompt for tapping the security key.

SELinux

Some distribution that uses SELinux may encounter trouble when accessing credential files. 2FA will be denied or may be bypassed if nouserok flag is set.

Check out details at https://access.redhat.com/security/cve/CVE-2020-24612

More Products

YubiKey Bio

Unfortunately, they rolled out the new YubiKey Bio series a week after I bought this one. I'm guessing the YubiKey Bio will work with the authentication method mentioned above as the current module contains userverification flag. If this doesn't work, I tested with pinverification=1 and the user interface prompted to input PIN code correctly. However, it would be disappointing if fingerprint verification doesn't work since we can achieve the same level of security with pin verification and a "normal" YubiKey.

A drawback of using YubiKey Bio is it does not provide NFC function, which I guess is understandable because of power and stuff (or maybe they could provide one in the future?). Thus we cannot use it with various mobile devices not compatible with USB-A/USB-C. This drawback is negligible since I only use it with laptop/PC now. Waiting for more details from webinar at 10 a.m. PT on Mon. Oct. 18

Might buy one if this gets a discount at Black Friday Sale.

Google Titan

I don't have one.

Solo Key

Solo key is an open source implementation of security key with FIDO standard. It should work fine with U2F PAM module. Much cheaper than Google Titan and YubiKeys.

[^1]: Recent Twitch incident (https://blog.twitch.tv/en/2021/10/06/updates-on-the-twitch-security-incident/)