DEV Community

bashbunni
bashbunni

Posted on

Set up Yubikey for Passwordless Sudo Authentication

Passwordless auth with Yubico 5 NFC on Ubuntu

Resources

Using U2F for passwordless sudo

Prerequisites

sudo apt-get install libpam-u2f
you'll need to setup your yubikey with the yubikey manager prior to doing this tutorial.

Setup

  1. Plug-in yubikey and type: mkdir ~/.config/Yubico
    • ignore if the folder already exists
  2. type pamu2fcfg > ~/.config/Yubico/u2f_keys to add your yubikey to the list of accepted yubikeys
    • enter your PIN if one if set for the key, then touch the key when the key's light blinks.
  3. (optional) Register additional keys with the command: pamu2fcfg -n >> ~/.config/Yubico/u2f_keys

  4. type sudo nano /etc/pam.d/sudo (or sudo nvim /etc/pam.d/sudo to use neovim as the text editor) to edit the PAM config for sign-on
    Then type auth sufficient pam_u2f.so before
    @include common-auth

To make this 2FA instead of passwordless authentication with Yubikey

  • instead of the final step, adjust the file /etc/pam.d/sudo to include:
@include common-auth
auth       required   pam_u2f.so
Enter fullscreen mode Exit fullscreen mode

Save the file and DO NOT CLOSE THE FILE - CONFIRM that the deployment was successful (see below)

Always confirm success BEFORE closing the edit window in terminal of the pam_u2f.so file

You can test the deployment is successful by opening a new terminal tab or window then running sudo echo SUCCESS

  • If you enabled sign-in with yubikey only, then you will see your yubikey flashing for touch input
  • If you enabled 2FA with your key, then you will be prompted to enter your password, then the yubikey will flash for touch input.

Once the behaviour works as expected, you may close the terminal windows

Top comments (10)

Collapse
 
clarksoncj profile image
Chris Clarkson

Thanks for this, A great walkthough.

For those like me who forget that the Yubikey is set up for this kind of thing you can add a cue to /etc/pam.d/sudo to give you a message, instead of just the paused prompt.

auth sufficient pam_u2f.so cue [cue_prompt="Tap the Yubikey to Sudo"]

Developer Reference has some other good options to add if you need them too

Collapse
 
bashbunni profile image
bashbunni

Ah I never thought of this. Thank you for sharing!!

Collapse
 
savaged profile image
David Savage

Thank you for this post. I've implemented it and feel more secure ;)
However, there is one gap, namely how to do the same for su. I tried the same process for su but got this message: su: Authentication service cannot retrieve authentication info. Any ideas?

Collapse
 
pusher018 profile image
pusher018

Nice tutorial, I was doing it as 2FA but I would love to switch to passwordless if we could require the PIN of the yubikey before touching.

Also, can I do it on a remote server connected in ssh or it's only for key connected on the local machine?

Collapse
 
ytvwld profile image
Niklas

This is great.

Also, it works pretty similar for polkit, just that it's /etc/pam.d/polkit-1.

Collapse
 
andreanidouglas profile image
Douglas R Andreani

this is awesome, thanks

Collapse
 
bashbunni profile image
bashbunni

I'm so glad it's helpful for you!

Collapse
 
waylonwalker profile image
Waylon Walker

2FA sudo command, so cool

Collapse
 
dffvb profile image
dffvb

Will this work over SSH?

Collapse
 
ytvwld profile image
Niklas

sadly, no. But pam_yubico.so should work.