Yubikey for sudo 2 Factor Auth

• bash
• debian
• yubikey
• u2f
• sudo
• 2fa

Some days ago I thought about testing two factor authentication (2FA) with Yubikey. Yubikey is a hardware security key which can do a lot.

How to test 2FA on a local machine if you don’t want to log you out or destroy anything important? I decided to implement 2FA for sudo command with yubikeys U2F feature. Be aware: This does not work for ssh.

To get 2FA working with sudo is pretty straight forward.

Install dependend packages

apt-get install pamu2fcfg libpam-u2f

connect the u2f key with your account

Per default u2f authentication from yubikey takes a look at ~/.config/Yubico. Therefore we have to create this directory:

mkdir -p ~/.config/Yubico

after that we can create the authentication config:

pamu2fcfg > ~/.config/Yubico/u2f_keys

When the key starts flashing, touch the metal contact to confirm the action.

If you want to add multiple keys to your account you have to do the step from above for each key with following command:

pamu2fcfg -n >> ~/.config/Yubico/u2f_keys

configure sudo to use u2f authentication

To enable the token for sudo we have to edit /etc/pam.d/sudo and add the following line below @include common-auth:

auth required pam_u2f.so

To be on the save side, just save the file and do not close it. Now you can revert the change just in case it fails.

Test your setup

Now we can open a new terminal and type something like sudo echo works. You now can insert your password. If your device is not connected the authentication will fail. If your device is connected you have to press the metal contact when your device starts flashing.

Troubleshooting

pamu2fcfg does not detect your device

You want to create the config file and get after a timeout a message like:

No device found. Aborting.

In my case the problem was yubikey had no FIDO/U2F enabled. Let’s enable it.

get yubikey-manager

To enable FIDO on your key we need the yubikey-manager which can be installed from yubico repository.

sudo add-apt-repository ppa:yubico/stable && sudo apt-get update
sudo apt-get install yubikey-manager-qt

After installation the manager can be started with ykman-gui. Now we can enable FIDO on the interface tab:

sudo was working the first time but now its not

If sudo was working the first time you tested it and now its not it could happen that the mode of your yubikey has changed. To test it run pamu2fcfg. If it does not detect any device your device mode has changed.

The mode can be changed with the command ykpersonalize.

Install ykpersonalize

To get it running we need the package yubikey-personalization from yubico repository:

apt-get install yubikey-personalization

change mode

To get it running again the mode must be set to something like 3, 5 or 6. man ykpersonalize is your friend. I enabled OTP, U2F and CCID. Therefore I have to call:

ykpersonalize -m6