Yubikey for sudo 2 Factor Auth
Some days ago I thought about testing two factor authentication (2FA) with Yubikey. Yubikey is a hardware security key which can do a lot.
How to test 2FA on a local machine if you don’t want to log you out or destroy
anything important? I decided to implement 2FA for sudo
command with yubikeys
U2F feature. Be aware: This does not work for ssh.
To get 2FA working with sudo is pretty straight forward.
Install dependend packages
apt-get install pamu2fcfg libpam-u2f
connect the u2f key with your account
Per default u2f authentication from yubikey takes a look at ~/.config/Yubico. Therefore we have to create this directory:
mkdir -p ~/.config/Yubico
after that we can create the authentication config:
pamu2fcfg > ~/.config/Yubico/u2f_keys
When the key starts flashing, touch the metal contact to confirm the action.
If you want to add multiple keys to your account you have to do the step from above for each key with following command:
pamu2fcfg -n >> ~/.config/Yubico/u2f_keys
configure sudo to use u2f authentication
To enable the token for sudo we have to edit /etc/pam.d/sudo
and add the
following line below @include common-auth
:
auth required pam_u2f.so
To be on the save side, just save the file and do not close it. Now you can revert the change just in case it fails.
Test your setup
Now we can open a new terminal and type something like sudo echo works
. You
now can insert your password. If your device is not connected the authentication
will fail. If your device is connected you have to press the metal contact when
your device starts flashing.
Troubleshooting
pamu2fcfg does not detect your device
You want to create the config file and get after a timeout a message like:
No device found. Aborting.
In my case the problem was yubikey had no FIDO/U2F enabled. Let’s enable it.
get yubikey-manager
To enable FIDO on your key we need the yubikey-manager which can be installed from yubico repository.
sudo add-apt-repository ppa:yubico/stable && sudo apt-get update
sudo apt-get install yubikey-manager-qt
After installation the manager can be started with ykman-gui
. Now we can
enable FIDO on the interface tab:
sudo was working the first time but now its not
If sudo was working the first time you tested it and now its not it could happen
that the mode of your yubikey has changed. To test it run pamu2fcfg
. If it
does not detect any device your device mode has changed.
The mode can be changed with the command ykpersonalize
.
Install ykpersonalize
To get it running we need the package yubikey-personalization
from yubico repository:
apt-get install yubikey-personalization
change mode
To get it running again the mode must be set to something like 3, 5 or 6. man
ykpersonalize
is your friend. I enabled OTP, U2F and CCID. Therefore I have to call:
ykpersonalize -m6