Home / ubuntu / Questions / 1167691
Accepted
Asitis
Asked: 2019-08-23 06:41:22 +0800 CST

Passwordless login with Yubikey 5 NFC

  • 772

I just bought a Yubikey 5 NFC and have set it up per their instructions on Ubuntu 19.04. But my preferred use case is to use the key as passwordless option (if it's plugged in; allow access - if it's not; enter password).

I've found some topics on this here and here but both are either not for a Yubikey or not for Ubuntu. And I'm too inexperienced with these things to blindly fiddle with settings as there is a good chance I'd get locked out forever if I do something wrong.

So I know the Yubikey 5 supports passwordless login for Windows, I figure it must be available on Ubuntu somehow, right? Does anyone have a tip for me?

Edit: To give some context to the valid point made below that this setup wouldn't increase security, matter of fact, would lower it: Yes, I know, very true indeed. However in my case I work mostly from my own (secured) home, but am a stickler for very complicated passwords. However it is slowing me down I have to enter a very long password each time my laptop idles too long, so for when I'm at home, I'd like to be able to use just the key, and if I'm away, leave the key at home and just use a password.

Edit2: Thanks to hackerb9's answer and running through the Yubico install steps again I got it to work. Essentially all I did different was to add auth sufficient pam_u2f.so to both /etc/pam.d/gdm-password and /etc/pam.d/sudo instead of @include common-u2f (which would result in auth sufficient pam_u2f.so authfile=/etc/u2f_mappings cue). So essentially just removed authfile=/etc/u2f_mappings cue did the trick. I'm not 100% sure but I think this is due a 'setup conflict' as I set up the key before attempting this.

login 19.04 yubikey

3 Answers

  1. Best Answer

    You're right to be worried about locking yourself out. If your home directory is encrypted, and you keep a Two-Factor Authentication authorization mapping file there, you will not be able to log in! That's why I always use a central authfile (/etc/u2f_mappings).

    I suggest creating a second account while testing, so you don't lock yourself out of your main account. Also, be sure to get a second 2FA key and register it as a backup in case you lose the first one.

    How to enable passwordless login

    Although you should be careful, the process is easy and straightforward. To make it even easier, I've written this, so you can simply cut and paste the following commands into a terminal:

    sudo apt install libpam-u2f
pamu2fcfg | sudo tee -a /etc/u2f_mappings

# (At this point, press the button. You should see a long string of numbers.
# If you don't, make sure you have `udev` setup correctly.)

sudo -i
echo >> /etc/u2f_mappings
cd /etc/pam.d

echo 'auth sufficient pam_u2f.so authfile=/etc/u2f_mappings cue' > common-u2f

for f in $(grep -l "@include common-auth" *); do
  if [[ $f == *~ ]]; then continue; fi
  if grep -q "@include common-u2f" $f; then continue; fi
  mv $f $f~
  awk '/@include common-auth/ {print "@include common-u2f"}; {print}' $f~ > $f
done

exit

    Notes

    • When logging in, you'll be prompted to touch your device if it is detected. Otherwise, you'll be asked to type in a password.
    • We use the term "sufficient" above so that either the password or the U2F key are sufficient to login (as requested in the question). For a more typical Two-factor Authentication login, "sufficient" would be replaced by the word "required" so that both would always be needed.
    • The u2f line in the pam.d files must come before @include common-auth, otherwise you'll be required to type in a password before the U2F key is checked.
    • I would be remiss if I didn't point out that using a "2FA" key in this way, while convenient, does not increase your security. In fact, you've only opened a second way to get into your account. But, that's not necessarily bad; not everybody needs high-security and a dongle like this can save you from having an easy to type, short, and vulnerable password.

    And so much more!

    By the way, these instructions aren't just for devices from Yubico. I'm using a key from Solokeys and it works great. Additionally, the setup works for both USB and NFC keys.

    If you need more information, Yubico's instructions and the Linux 20+ Guide — as mentioned in the original question — are fairly informative. Also, see the man pages for pam_u2f and pamu2fcfg.

    Update 2022

    Newer versions of Ubuntu and Debian GNU/Linux have proliferated the number of files in /etc/pam.d/ which need to be edited. Ideally, we would just edit a single file: common-auth, but that file is managed by pam-auth-update(8) which is limited to the profiles in /usr/share/pam-configs/. Since editing files under /usr/share is usually a bad idea, we are stuck with editing multiple files. To make this easier, I have tweaked the instructions to grep for all possible relevant config files.

    • 17

  2. Here is my approach:

    To enable a passwordless sudo with the yubikey do the following

    • Open Terminal.
    • Insert your U2F Key.
    • Run: mkdir -p ~/.config/Yubico
    • Run: pamu2fcfg > ~/.config/Yubico/u2f_keys
    • When your device begins flashing, touch the metal contact to confirm the association.

    Now configure sudo to use the key when available (password otherwise) by editing the following file

    sudo nano /etc/pam.d/sudo

    Add the auth line before the @include

    auth sufficient pam_u2f.so
@include common-auth

    To use the yubikey as a second factor additionally to your password edit /etc/pam.d/sudo in the following way

    @include common-auth
auth       required   pam_u2f.so

    Where the auth line is after the @include

    • 5

  3. I know that this has been here for a while but I wanted to chime in here to make sure that this is complete. So that if someone else comes along they know how to get it working.

    I do want to say that is awesome and I've been looking for this for a while and came across this a few days ago and haven't seen a way to do this besides this one. I'm sure that it's out there.

    The one thing that I believe was missed is...

    pamu2fcfg outputs to the file /etc/u2f_mappings via pamu2fcfg | tee /etc/u2f_mappings under the current user, which in this case is root. If you are attempting to use it for another user besides root it won't work.

    The file would need to be updated to reflect the correct username in that case.

    sudo nano /etc/u2f_mappings

    Change root in the line to the desired username.

    So from something like root:xxxxxxx..... to USERNAMEHERE:xxxxxxxx..... or whatever the username is going to be.

    OR

    Another way, probably better way, to approach it is to

    change pamu2fcfg | tee /etc/u2f_mappings

    to

    pamu2fcfg -u USERNAME | tee /etc/u2f_mappings

    or change it to

    pamu2fcfg -u USERNAME >> /etc/u2f_mappings

    where USERNAME is the name of the user who is going to be using it. With the >> it creates or appends to the end of the file which allows for multiple users.

    I'm going to pull the majority of this over and a few other items from other pages and drop it into git so that I don't loose this in the abyss that is the internet. It's not fully setup but here's the link https://github.com/vanderblugen/yubico_password_less_ubuntu. If I can tag you in there shoot me a message and I will do that.

    This part took me a while. Each user in the file should be on it's own line. If multiple keys for a single user put a : between each of the keys.

    • 3