Passwordless login with Yubikey 5 NFC

login 19.04 yubikey

Solution 1:

You're right to be worried about locking yourself out. If your home directory is encrypted and you keep a Two-Factor Authentication authorization mapping file there, you will not be able to log in! That's why I always use a central authfile (/etc/u2f_mappings).

I suggest creating a second account while testing so you don't lock yourself out of your main account. Also, be sure to get a second 2FA key and register it as a backup in case you lose the first one.

How to enable passwordless login

Although you should be careful, the process is easy and straightforward. To make it even easier, I've written this so you can simply cut and paste the following commands into a terminal:

  1. sudo apt install libpam-u2f

  2. pamu2fcfg | sudo tee /etc/u2f_mappings

    # (At this point, press the button. You should see a long string of numbers. If you don't, make sure you have udev setup correctly.)

  3. sudo -i

  4. cd /etc/pam.d

  5. echo 'auth sufficient pam_u2f.so authfile=/etc/u2f_mappings cue' > common-u2f

  6. for f in gdm-password lightdm sudo login; do

    mv $f $f~

    awk '/@include common-auth/ {print "@include common-u2f"}; {print}' $f~ > $f

    done

  7. exit

Notes

  • When logging in, you'll be prompted to touch your device if it is detected Otherwise, you'll be asked to type in a password.

  • We use the term "sufficient" above so that either the password or the U2F key are sufficient to login (as requested in the question). For a more typical Two-factor Authentication login, "sufficient" would be replaced by the word "required" so that both would always be needed.

  • The u2f line in the pam.d files must come before @include common-auth, otherwise you'll be required to type in a password before the U2F key is checked.

  • I would be remiss if I didn't point out that using a "2FA" key in this way, while convenient, does not increase your security. In fact, you've only opened a second way to get into your account. But, that's not necessarily bad; not everybody needs high-security and a dongle like this can save you from having an easy to type, short, and vulnerable password.

And so much more!

By the way, these instructions aren't just for devices from Yubico. I'm using a key from Solokeys and it works great. Additionally, the setup works for both USB and NFC keys.

If you need more information, Yubico's instructions — as mentioned in the original question — are fairly informative. Also, see the man pages for pam_u2f and pamu2fcfg.

Solution 2:

Here is my approach:

To enable a passwordless sudo with the yubikey do the following

  • Open Terminal.
  • Insert your U2F Key.
  • Run: mkdir -p ~/.config/Yubico
  • Run: pamu2fcfg > ~/.config/Yubico/u2f_keys
  • When your device begins flashing, touch the metal contact to confirm the association.

Now configure sudo to use the key when available (password otherwise) by editing the following file

sudo nano /etc/pam.d/sudo

Add the auth line before the @include

auth sufficient pam_u2f.so
@include common-auth

To use the yubikey as a second factor additionally to your password edit /etc/pam.d/sudo in the following way

@include common-auth
auth       required   pam_u2f.so

Where the auth line is after the @include

Solution 3:

I know that this has been here for a while but I wanted to chime in here to make sure that this is complete. So that if someone else comes along they know how to get it working.

I do want to say that is awesome and I've been looking for this for a while and came across this a few days ago and haven't seen a way to do this besides this one. I'm sure that it's out there.

The one thing that I believe was missed is...

pamu2fcfg outputs to the file /etc/u2f_mappings via pamu2fcfg | tee /etc/u2f_mappings under the current user, which in this case is root. If you are attempting to use it for another user besides root it won't work.

The file would need to be updated to reflect the correct username in that case.

sudo nano /etc/u2f_mappings

Change root in the line to the desired username.

So from something like root:xxxxxxx..... to USERNAMEHERE:xxxxxxxx..... or whatever the username is going to be.

OR

Another way, probably better way, to approach it is to

change pamu2fcfg | tee /etc/u2f_mappings

to

pamu2fcfg -u USERNAME | tee /etc/u2f_mappings

or change it to

pamu2fcfg -u USERNAME >> /etc/u2f_mappings

where USERNAME is the name of the user who is going to be using it. With the >> it creates or appends to the end of the file which allows for multiple users.

I'm going to pull the majority of this over and a few other items from other pages and drop it into git so that I don't loose this in the abyss that is the internet. It's not fully setup but here's the link https://github.com/vanderblugen/yubico_password_less_ubuntu. If I can tag you in there shoot me a message and I will do that.

This part took me a while. Each user in the file should be on it's own line. If multiple keys for a single user put a : between each of the keys.

Related

Errors in dmesg - Test WP failed, assume Write Enabled [duplicate]
How to get copy.com notification icon on Unity on Trusty to work?
Can't find LVM root dropped back to initramfs
How do I set up the iPhone USB Ethernet Driver?
Identify duplicate lines in a file without deleting them?
How can I enable the SNA acceleration method for Intel cards, under Ubuntu 12.04 - 12.10?
How to turn off nvidia (hybrid graphics)
How to read only 5 last line of the text file in PHP?
How to set eclipse console locale/language
ImageView rounded corners [duplicate]
App rejected because of "Missing Push Notification Entitlement"
ASP.NET MVC and Ajax, concurrent requests?