I recently got myself a Yubikey 5 NFC for Multi Factor Authentication. I’ve started using it for my SSH-keys and also instead of typing my password when sudoing, i just touch the hardware key.
To set this up in Ubuntu, do the following:
WARNING: during installation, also have a terminal open with root privileges, otherwise you can lock yourself out.
1. Install required packagessudo apt-get install libpam-u2f pamu2fcfg
2. Check your hostname and remember it for laterhostname
3. Setup /etc/u2f_mappings
Login as the user under which you want your token.
Run this command and then touch your Yubikey to generate the token.
pamu2fcfg -u `whoami` -opam://`hostname` -ipam://`hostname`
Output should be username:looooongstringforyubikey1
Repeat this for every Yubikey you want and then combine these lines into one single line per user.
username1:looooongstringforyubikey1:looooongstringforyubikey2
username2:looooongstringforyubikey1:looooongstringforyubikey2
Create the file and paste the results and then save the file.sudo nano /etc/u2f_mappings
4. Setup /etc/sudoers (optional)
This makes the sudo password expire after 0 seconds and you will have to enter it every time you use the sudo command.sudo visudo
Append “timestamp_timeout=0” to the row Defaults env_reset, like this and save the file.
Defaults env_reset,timestamp_timeout=0
5. Setup /etc/pam.d/sudo
There are three different scenarios you can use.
A. If you want the Yubikey AND enter the password.
B: If you want only the Yubikey.
C. If you want only the Yubikey but fallback to password if Yubikey fails or not connected.sudo nano /etc/pam.d/sudo
At the top of the file just below #%PAM-1.0 use the the method you prefer. All in one line. Replace both $HOSTNAME with your actual hostname that you got in step 2 and then save the file.
A = auth required pam_u2f.so origin=pam://$HOSTNAME appid=pam://$HOSTNAME authfile=/etc/u2f_mappings cue
B = auth [success=done new_authtok_reqd=done default=die] pam_u2f.so origin=pam://$HOSTNAME appid=pam://$HOSTNAME authfile=/etc/u2f_mappings cue
C = auth sufficient pam_u2f.so origin=pam://$HOSTNAME appid=pam://$HOSTNAME authfile=/etc/u2f_mappings cue
The most secure alternative are of course to implement step 4 in combination with alternative A. Make sure to test all of your Yubikeys so you don’t end up getting locked out.
Be First to Comment