In my last post, I wrote about the benefits of U2F – Universal Two-Factor Authentication. Here are the three phases of installing it as the second factor on a Linux VM. For this article, I assume you have a Linux VM (or computer) configured with access to a USB port. I did this more as a test and demonstration than as a full deployment. My goal was to explore the key, the modules and the integration to share with you.
Be sure to have a way to recover from this if you have a different system and your installation fails. I’m using Ubuntu so depressing the Shift key right as the VM boots brings me to a recovery menu. If you use a central file to hold the keys, be sure to create a user who can login without a key.
I am using a Yubico FIDO U2F Security Key. The software I needed was:
sudo apt-get install pamu2fcfg sudo apt-get install libpam-u2f
The instructions for configuring the software can be found at https://github.com/Yubico/pam-u2f. You won’t need to build it from source since you retrieved the packages from the repository. You could if you wanted to, though.
pamu2fcfg –ujohn > ~/.config/Yubico/u2f_keys
The generated file is:
If you configure U2F for all users, the lines in the central configuration file (probably /etc/u2f_mappings) will look like this with one line per user. In either the central or individual key file, more keys can be specified.
PAM is the Pluggable Authentication Module system for Linux. It is used to configure authentication for subsystems that require it. I added U2F support for su and for windowed logins through lightdm, the display manager my version of Ubuntu uses by default.
Exactly where to put the configuration lines in the files will vary depending on what version you are running. I’ve shown the pertinent files for my system. The added line besides the comment is the “auth sufficient pam_u2f.o” line. The debug option isn’t strictly necessary: I just have it in there to see what’s going on. The cue option prompts the user to touch the device. You can also create a separate file with that line, and use the “@include” PAM directive to include it in desired files.
In a real environment, you’d probably want to use the key for authentication for all users that have one and to manage the keys centrally. The basic instructions for that are in the README. You can even configure the screen to lock when you remove the key.
I will share more about the key including using it for websites, configuring a backup key and other safeguards, and more about using it for Linux authentication in future posts.
To your safe computing,