How to enable U2F on Ubuntu

What is U2F?

(Universal 2nd Factor) is an open standard for different internet services to enhance their authentication was a second factor.  After the user enters their password, they are prompted to enter a second factor (such as a security key).

More details can be found on the FIDO website.

In our case, we’ll enforce U2F on Ubuntu by adding it to our main authentication mechanism (password). We’ll be using a Yubico (Yubikey) as our security key.

 

This is a shameless copy from : Yubico Ubuntu U2F guide.

 

  1. Ensure the Yubico Ubuntu Repository is downloaded

    1. Run:
       sudo add-apt-repository ppa:yubico/stable && sudo apt-get update 
    2. When prompted, press Enter to confirm adding the PPA.
  2. Install the required software for Ubuntu to support U2F

     sudo apt-get install libpam-u2f  

 

  1. Register your U2F keys

    1. Open a terminal
    2. Insert your U2F key
    3. Execute
        mkdir ~/.config/Yubico  
    4.  pamu2fcfg > ~/.config/Yubico/u2f_keys  
    5. When the device flashes press touch the metal contact to confirm association
  2. Enforce U2F on sudo commands

    1. edit the file /etc/pam.d/sudo using your favorite editor (vim, vi ,nano, emacs, etc)
    2. add the following line AFTER @include common-auth
       auth       required   pam_u2f.so 
    3. Run the command sudo ls /root/
    4. You’ll be entering your sudo password but the command *should* fail since you didn’t press on your U2F key.  If the authentication is successful, then there is a problem.
    5. Run the same command again “sudo ls /root/” and enter your password.  Press on the metal contact when it begins flashing.
    6. This time your should see the contents of /root
  3. Enforce U2F on login

    1. edit /etc/pam.d/gdm-password using your favorite editor
    2. Add the line below after the “@include common-auth”
      1.   auth       required   pam_u2f.so 

This should be enough to enforce U2F on your machine.

 

6. Add a Backup Key

It is of course always a good idea to add a backup key incase the key is lost.  Otherwise, you won’t be able to login.

 

  1. Insert your backup key
  2. open a terminal and
     run pamu2fcfg -n >> ~/.config/Yubico/u2f_keys  
  3. Touch the metal contact and when your device begins flashing.
  4. Store this backup in a safe/secure but accessible place.