Skip to content

Use Yubikey for sudo authentication

Published by Daniel on September 5, 2020

I recently got myself a Yubikey 5 NFC for Multi Factor Authentication. I’ve started using it for my SSH-keys and also instead of typing my password when sudoing, i just touch the hardware key.

To set this up in Ubuntu, do the following:

WARNING: during installation, also have a terminal open with root privileges, otherwise you can lock yourself out.

1. Install required packages
sudo apt-get install libpam-u2f pamu2fcfg

2. Check your hostname and remember it for later
hostname

3. Setup /etc/u2f_mappings
Login as the user under which you want your token.
Run this command and then touch your Yubikey to generate the token.

pamu2fcfg -u `whoami` -opam://`hostname` -ipam://`hostname`

Output should be username:looooongstringforyubikey1

Repeat this for every Yubikey you want and then combine these lines into one single line per user.
username1:looooongstringforyubikey1:looooongstringforyubikey2
username2:looooongstringforyubikey1:looooongstringforyubikey2

Create the file and paste the results and then save the file.
sudo nano /etc/u2f_mappings

4. Setup /etc/sudoers (optional)
This makes the sudo password expire after 0 seconds and you will have to enter it every time you use the sudo command.

sudo visudo

Append “timestamp_timeout=0” to the row Defaults env_reset, like this and save the file.

Defaults    env_reset,timestamp_timeout=0


5. Setup /etc/pam.d/sudo
There are three different scenarios you can use.

A. If you want the Yubikey AND enter the password.
B: If you want only the Yubikey.
C. If you want only the Yubikey but fallback to password if Yubikey fails or not connected.

sudo nano /etc/pam.d/sudo

At the top of the file just below #%PAM-1.0 use the the method you prefer. All in one line. Replace both $HOSTNAME with your actual hostname that you got in step 2 and then save the file.

A = auth required pam_u2f.so origin=pam://$HOSTNAME appid=pam://$HOSTNAME authfile=/etc/u2f_mappings cue

B = auth [success=done new_authtok_reqd=done default=die] pam_u2f.so origin=pam://$HOSTNAME appid=pam://$HOSTNAME authfile=/etc/u2f_mappings cue

C = auth sufficient pam_u2f.so origin=pam://$HOSTNAME appid=pam://$HOSTNAME authfile=/etc/u2f_mappings cue

The most secure alternative are of course to implement step 4 in combination with alternative A. Make sure to test all of your Yubikeys so you don’t end up getting locked out.

Published inlinuxtech

One Comment

  1. kneb kneb

    Hi, nice post, thank you for this. Is it possible to require YubiKey for every sudo but the password only once until it expires?

    June 3, 2021 Reply

Leave a Reply

Your email address will not be published. Required fields are marked *