Skip to content

Use Yubikey for sudo authentication

Published by Daniel on September 5, 2020

I recently got myself a Yubikey 5 NFC for Multi Factor Authentication. I’ve started using it for my SSH-keys and also instead of typing my password when sudoing, i just touch the hardware key.

To set this up in Ubuntu, do the following:

WARNING: during installation, also have a terminal open with root privileges, otherwise you can lock yourself out.

1. Install required packages
sudo apt-get install libpam-u2f pamu2fcfg

2. Check your hostname and remember it for later
hostname

3. Setup /etc/u2f_mappings
Login as the user under which you want your token.
Run this command and then touch your Yubikey to generate the token.

pamu2fcfg -u `whoami` -opam://`hostname` -ipam://`hostname`

Output should be username:looooongstringforyubikey1

Repeat this for every Yubikey you want and then combine these lines into one single line per user.
username1:looooongstringforyubikey1:looooongstringforyubikey2
username2:looooongstringforyubikey1:looooongstringforyubikey2

Create the file and paste the results and then save the file.
sudo nano /etc/u2f_mappings

4. Setup /etc/sudoers (optional)
This makes the sudo password expire after 0 seconds and you will have to enter it every time you use the sudo command.

sudo visudo

Append “timestamp_timeout=0” to the row Defaults env_reset, like this and save the file.

Defaults    env_reset,timestamp_timeout=0


5. Setup /etc/pam.d/sudo
There are three different scenarios you can use.

A. If you want the Yubikey AND enter the password.
B: If you want only the Yubikey.
C. If you want only the Yubikey but fallback to password if Yubikey fails or not connected.

sudo nano /etc/pam.d/sudo

At the top of the file just below #%PAM-1.0 use the the method you prefer. All in one line. Replace both $HOSTNAME with your actual hostname that you got in step 2 and then save the file.

A = auth required pam_u2f.so origin=pam://$HOSTNAME appid=pam://$HOSTNAME authfile=/etc/u2f_mappings cue

B = auth [success=done new_authtok_reqd=done default=die] pam_u2f.so origin=pam://$HOSTNAME appid=pam://$HOSTNAME authfile=/etc/u2f_mappings cue

C = auth sufficient pam_u2f.so origin=pam://$HOSTNAME appid=pam://$HOSTNAME authfile=/etc/u2f_mappings cue

The most secure alternative are of course to implement step 4 in combination with alternative A. Make sure to test all of your Yubikeys so you don’t end up getting locked out.

Published inlinuxtech

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *