Passwordless login with Yubikey 5 NFC
Solution 1:
You're right to be worried about locking yourself out. If your home directory is encrypted and you keep a Two-Factor Authentication authorization mapping file there, you will not be able to log in! That's why I always use a central authfile (/etc/u2f_mappings
).
I suggest creating a second account while testing so you don't lock yourself out of your main account. Also, be sure to get a second 2FA key and register it as a backup in case you lose the first one.
How to enable passwordless login
Although you should be careful, the process is easy and straightforward. To make it even easier, I've written this so you can simply cut and paste the following commands into a terminal:
-
sudo apt install libpam-u2f
-
pamu2fcfg | sudo tee /etc/u2f_mappings
#
(At this point, press the button. You should see a long string of numbers. If you don't, make sure you haveudev
setup correctly.) -
sudo -i
-
cd /etc/pam.d
-
echo 'auth sufficient pam_u2f.so authfile=/etc/u2f_mappings cue' > common-u2f
-
for f in gdm-password lightdm sudo login; do
mv $f $f~
awk '/@include common-auth/ {print "@include common-u2f"}; {print}' $f~ > $f
done
-
exit
Notes
-
When logging in, you'll be prompted to touch your device if it is detected Otherwise, you'll be asked to type in a password.
-
We use the term "sufficient" above so that either the password or the U2F key are sufficient to login (as requested in the question). For a more typical Two-factor Authentication login, "sufficient" would be replaced by the word "required" so that both would always be needed.
-
The u2f line in the pam.d files must come before
@include common-auth
, otherwise you'll be required to type in a password before the U2F key is checked. -
I would be remiss if I didn't point out that using a "2FA" key in this way, while convenient, does not increase your security. In fact, you've only opened a second way to get into your account. But, that's not necessarily bad; not everybody needs high-security and a dongle like this can save you from having an easy to type, short, and vulnerable password.
And so much more!
By the way, these instructions aren't just for devices from Yubico. I'm using a key from Solokeys and it works great. Additionally, the setup works for both USB and NFC keys.
If you need more information, Yubico's instructions — as mentioned in the original question — are fairly informative. Also, see the man pages for pam_u2f
and pamu2fcfg
.
Solution 2:
Here is my approach:
To enable a passwordless sudo with the yubikey do the following
- Open Terminal.
- Insert your U2F Key.
- Run:
mkdir -p ~/.config/Yubico
- Run:
pamu2fcfg > ~/.config/Yubico/u2f_keys
- When your device begins flashing, touch the metal contact to confirm the association.
Now configure sudo to use the key when available (password otherwise) by editing the following file
sudo nano /etc/pam.d/sudo
Add the auth
line before the @include
auth sufficient pam_u2f.so
@include common-auth
To use the yubikey as a second factor additionally to your password edit /etc/pam.d/sudo
in the following way
@include common-auth
auth required pam_u2f.so
Where the auth
line is after the @include
Solution 3:
I know that this has been here for a while but I wanted to chime in here to make sure that this is complete. So that if someone else comes along they know how to get it working.
I do want to say that is awesome and I've been looking for this for a while and came across this a few days ago and haven't seen a way to do this besides this one. I'm sure that it's out there.
The one thing that I believe was missed is...
pamu2fcfg
outputs to the file /etc/u2f_mappings
via pamu2fcfg | tee /etc/u2f_mappings
under the current user, which in this case is root. If you are attempting to use it for another user besides root it won't work.
The file would need to be updated to reflect the correct username in that case.
sudo nano /etc/u2f_mappings
Change root
in the line to the desired username.
So from something like root:xxxxxxx.....
to USERNAMEHERE:xxxxxxxx.....
or whatever the username is going to be.
OR
Another way, probably better way, to approach it is to
change pamu2fcfg | tee /etc/u2f_mappings
to
pamu2fcfg -u USERNAME | tee /etc/u2f_mappings
or change it to
pamu2fcfg -u USERNAME >> /etc/u2f_mappings
where USERNAME is the name of the user who is going to be using it. With the >>
it creates or appends to the end of the file which allows for multiple users.
I'm going to pull the majority of this over and a few other items from other pages and drop it into git so that I don't loose this in the abyss that is the internet. It's not fully setup but here's the link https://github.com/vanderblugen/yubico_password_less_ubuntu. If I can tag you in there shoot me a message and I will do that.
This part took me a while. Each user in the file should be on it's own line. If multiple keys for a single user put a :
between each of the keys.