I just recently bought a YubiKey 5 NFC as my first USB security token. This security key can verify accounts without passwords or act as proof of user presence. I'm using my YubiKey to password-less unlock 1password and two-factor authentication (2FA) laptop login. 2FA is authenticating with another method other than you used as the first factor, commonly as password. This provides extra security if your password is leaked, breached, or guessed by a hacker[^1].
Universal 2nd Factor (U2F)
Universal 2nd Factor (U2F) is an open standard that strengthens and simplifies two-factor authentication (2FA) using specialized USB or NFC devices based on similar security technology found in smart cards. While initially developed by Google and Yubico, with contribution from NXP Semiconductors, the standard is now hosted by the FIDO Alliance. -- from arch wiki
YubiKey team developed pam_u2f module, also open source at GitHub Yubico/pam-u2f. With pam_u2f, we can easily configure authenticating methods for Linux. Although YubiKey does way more than U2F authenticating (OTP, OpenPGP, ...), this post will only focus on U2F.
Install it on ArchLinux:
pacman -S pam_u2f
Generate a key for user
pamu2fcfg -o pam://hostname -i pam://hostname > ~/.config/Yubico/u2f_keys
pam_u2f looks for key file at
$XDG_CONFIG_HOME is not set,
$HOME/.config/Yubico/u2f_keys is used.
Before configuring PAM rules, be sure to back up the current setting and leave a console with edit privilege for PAM files. You may get locked out (since it's too secure) during the process. If this happens, plug your storage device into another computer and fix it. Keep in mind that the order of the auth rules in PAM config matters.
Here's how to passwordless sudo:
/etc/pam.d/sudo and add
auth sufficient pam_u2f.so cue origin=pam://hostname appid=pam://hostname
auth required or
Passwordless unlock 1password by adding the same line to
2nd Factor Authentication
2FA log in to gnome desktop:
/etc/pam.d/gdm-password and add
auth required pam_u2f.so cue nouserok origin=pam://hostname appid=pam://hostname
after auth lines.
nouserok flag is for user that don't have a security key (or can't find u2f_keys in certain path)
OpenSSH supports FIDO/U2F hardware tokens natively since 8.2. Both the client and server must support the ecdsa-sk/ed25519-sk key types. Generate a security key backed key pair with:
- for ECDSA key
ssh-keygen -t ecdsa-sk
- for Ed25519 key
ssh-keygen -t ed25519-sk
-- from arch wiki
After generating keys, copy the public key to
~/.ssh/authorized_keys at destination server. Do notice that ssh does not prompt for tapping the security key.
Some distribution that uses SELinux may encounter trouble when accessing credential files. 2FA will be denied or may be bypassed if nouserok flag is set.
Check out details at https://access.redhat.com/security/cve/CVE-2020-24612
Unfortunately, they rolled out the new YubiKey Bio series a week after I bought this one. I'm guessing the YubiKey Bio will work with the authentication method mentioned above as the current module contains
userverification flag. If this doesn't work, I tested with
pinverification=1 and the user interface prompted to input PIN code correctly. However, it would be disappointing if fingerprint verification doesn't work since we can achieve the same level of security with pin verification and a "normal" YubiKey.
A drawback of using YubiKey Bio is it does not provide NFC function, which I guess is understandable because of power and stuff (or maybe they could provide one in the future?). Thus we cannot use it with various mobile devices not compatible with USB-A/USB-C. This drawback is negligible since I only use it with laptop/PC now. Waiting for more details from webinar at 10 a.m. PT on Mon. Oct. 18
Might buy one if this gets a discount at Black Friday Sale.
I don't have one.
Solo key is an open source implementation of security key with FIDO standard. It should work fine with U2F PAM module. Much cheaper than Google Titan and YubiKeys.
[^1]: Recent Twitch incident (https://blog.twitch.tv/en/2021/10/06/updates-on-the-twitch-security-incident/)