How to Configure Linux for U2F Authentication

In my last post, I wrote about the benefits of U2F – Universal Two-Factor Authentication. Here are the three phases of installing it as the second factor on a Linux VM. For this article, I assume you have a Linux VM (or computer) configured with access to a USB port. I did this more as a test and demonstration than as a full deployment. My goal was to explore the key, the modules and the integration to share with you.

Be sure to have a way to recover from this if you have a different system and your installation fails. I’m using Ubuntu so depressing the Shift key right as the VM boots brings me to a recovery menu. If you use a central file to hold the keys, be sure to create a user who can login without a key.

Retrieve and Install Necessary Software

I am using a Yubico FIDO U2F Security Key. The software I needed was:

  1. The file 70-u2f.rules. This file needs to be installed in the folder /etc/udev/rules.d It allows Linux to “see” the key when it is inserted. I saved the copy to my desktop then copied it into the destination folder. A reboot is required after placing the file in the directory so the changes can take effect.
    Downloaded file
    File installed
  2. The packages pamu2fcfg and libpam-u2f. I Installed these from the command line:
     sudo apt-get install pamu2fcfg
     sudo apt-get install libpam-u2f

Create an Individual Authentication File

The instructions for configuring the software can be found at https://github.com/Yubico/pam-u2f. You won’t need to build it from source since you retrieved the packages from the repository. You could if you wanted to, though.

  1. Since I wanted to make this a per-user option, I created the directory ~/.config/Yubico.
     mkdir ~/.config/Yubico
  2. Then I generated a key handle for the key and retrieved the public key stored on the Yubico device. I used the following command since my username is john
     pamu2fcfg –ujohn > ~/.config/Yubico/u2f_keys

    The generated file is:
    u2f_keys file
    If you configure U2F for all users, the lines in the central configuration file (probably /etc/u2f_mappings) will look like this with one line per user. In either the central or individual key file, more keys can be specified.

Tell PAM to Use the Key

PAM is the Pluggable Authentication Module system for Linux. It is used to configure authentication for subsystems that require it. I added U2F support for su and for windowed logins through lightdm, the display manager my version of Ubuntu uses by default.

Exactly where to put the configuration lines in the files will vary depending on what version you are running. I’ve shown the pertinent files for my system. The added line besides the comment is the “auth sufficient pam_u2f.o” line. The debug option isn’t strictly necessary: I just have it in there to see what’s going on. The cue option prompts the user to touch the device. You can also create a separate file with that line, and use the “@include” PAM directive to include it in desired files.

su pam configuration

lightdm pam configuration

In a real environment, you’d probably want to use the key for authentication for all users that have one and to manage the keys centrally. The basic instructions for that are in the README. You can even configure the screen to lock when you remove the key.

I will share more about the key including using it for websites, configuring a backup key and other safeguards, and more about using it for Linux authentication in future posts.

To your safe computing,
John McDermott

image sources

  • Downloaded File: John McDermott
  • File installed: John McDermott
  • u2f_keys file: John McDermott
  • su pam configuration: John McDermott
  • lightdm pam configuration: John McDermott

Type to search blog.learningtree.com

Do you mean "" ?

Sorry, no results were found for your query.

Please check your spelling and try your search again.