I recently got myself a Yubikey 5 NFC for Multi Factor Authentication. I’ve started using it for my SSH-keys and also instead of typing my password when sudoing, i just touch the hardware key.
To set this up in Ubuntu, do the following:
WARNING: during installation, also have a terminal open with root privileges, otherwise you can lock yourself out.
1. Install required packages
sudo apt-get install libpam-u2f pamu2fcfg
2. Check your hostname and remember it for later
3. Setup /etc/u2f_mappings
Login as the user under which you want your token.
Run this command and then touch your Yubikey to generate the token.
pamu2fcfg -u `whoami` -opam://`hostname` -ipam://`hostname`
Output should be username:looooongstringforyubikey1
Repeat this for every Yubikey you want and then combine these lines into one single line per user.
Create the file and paste the results and then save the file.
sudo nano /etc/u2f_mappings
4. Setup /etc/sudoers (optional)
This makes the sudo password expire after 0 seconds and you will have to enter it every time you use the sudo command.
Append “timestamp_timeout=0” to the row Defaults env_reset, like this and save the file.
5. Setup /etc/pam.d/sudo
There are three different scenarios you can use.
A. If you want the Yubikey AND enter the password.
B: If you want only the Yubikey.
C. If you want only the Yubikey but fallback to password if Yubikey fails or not connected.
sudo nano /etc/pam.d/sudo
At the top of the file just below #%PAM-1.0 use the the method you prefer. All in one line. Replace both $HOSTNAME with your actual hostname that you got in step 2 and then save the file.
auth required pam_u2f.so origin=pam://$HOSTNAME appid=pam://$HOSTNAME authfile=/etc/u2f_mappings cue
auth [success=done new_authtok_reqd=done default=die] pam_u2f.so origin=pam://$HOSTNAME appid=pam://$HOSTNAME authfile=/etc/u2f_mappings cue
auth sufficient pam_u2f.so origin=pam://$HOSTNAME appid=pam://$HOSTNAME authfile=/etc/u2f_mappings cue
The most secure alternative are of course to implement step 4 in combination with alternative A. Make sure to test all of your Yubikeys so you don’t end up getting locked out.