Differences between revisions 2 and 3
Revision 2 as of 2016-03-07 03:53:42
Size: 870
Editor: PaulWise
Comment:
Revision 3 as of 2021-10-20 03:53:44
Size: 2819
Editor: ?Celejar
Comment:
Deletions are marked like this. Additions are marked like this.
Line 5: Line 5:
WARNING: you might lock yourself out of your system while changing PAM configurations === Setup ===
Line 7: Line 7:
=== Client side setup === PAM integration is accomplished via [[https://github.com/Yubico/pam-u2f|Yubico's pam-u2f module]].
Line 19: Line 19:
=== Xscreensaver configuration === Create authorization maps ([[https://github.com/Yubico/pam-u2f#authorization-mapping-files|full documentation]]):
Line 21: Line 21:
WARNING: Xscreensaver will require both your password and your U2F key

Create the key:
Line 29: Line 26:
Add the following line at the end of /etc/pam.d/xscreensaver
=== PAM configuration ===

WARNING: it is possible to lock yourself out of your system while changing PAM configuration.

PAM can be configured via either {{{/etc/pam.conf}}} or (more commonly) individual appropriately named files under {{{/etc/pam.d/}}}. Using the latter method, add lines like the following to files such as {{{/etc/pam.d/xscreensaver}}} and {{{/etc/pam.d/lightdm}}}

To allow password-less login using just the U2F key, use lines like:

{{{
auth sufficient pam_u2f.so
}}}

To use the U2F key as a required second factor (2FA), use lines like:
Line 34: Line 45:
Note that integration with the existing default PAM configuration files supplied by Debian is tricky, and the order of the lines in the PAM files is apparently important. When using `sufficient`, it seems that the line should be added '''before''' {{{@include common-auth}}}, to avoid being asked first for a password, whereas when using `required`, the line may be added afterward. See [[https://github.com/Yubico/pam-u2f#installation|the documentation]] for more information, including some useful module options such as `cue` and `debug`

Additional resources:

 * [[https://adl1995.github.io/passwordless-logins-with-yubikey.html|Passwordless logins with Yubikey]]
Line 36: Line 53:
Not supported yet. OpenSSH supports FIDO/U2F keys [[https://www.openssh.com/txt/release-8.2|from version 8.2]]:

{{{
ssh-keygen -t ecdsa-sk -f ~/.ssh/id_ecdsa_sk
}}}

As per the documentation:

 This will yield a public and private key-pair. The private key file should be useless to an attacker who does not have access to the physical token. After generation, this key may be used like any other supported key in OpenSSH and may be listed in authorized_keys, added to ssh-agent(1), etc. The only additional stipulation is that the FIDO token that the key belongs to must be attached when the key is used.

See [[https://www.openssh.com/txt/release-8.2|the documentation]] and {{{man ssh-keygen}}} for more details.
Line 40: Line 67:
[[https://en.wikipedia.org/wiki/Universal_2nd_Factor|wikipedia]]
[[https://github.com/Yubico/pam-u2f|pam-u2f]]
 * [[https://en.wikipedia.org/wiki/Universal_2nd_Factor|Universal 2nd Factor at Wikipedia]]
 * [[https://wiki.archlinux.org/title/Universal_2nd_Factor|Universal 2nd Factor at ArchWiki]]

Using U2F keys in Debian

U2F is an open standard for two-factor authentication that can provided by cheap USB dongles.

Setup

PAM integration is accomplished via Yubico's pam-u2f module.

Check for the USB dongle:

lsusb | grep U2F

Install the required libraries:

sudo apt-get install pamu2fcfg libpam-u2f

Create authorization maps (full documentation):

mkdir -p ~/.config/Yubico
pamu2fcfg >> ~/.config/Yubico/u2f_keys

PAM configuration

WARNING: it is possible to lock yourself out of your system while changing PAM configuration.

PAM can be configured via either /etc/pam.conf or (more commonly) individual appropriately named files under /etc/pam.d/. Using the latter method, add lines like the following to files such as /etc/pam.d/xscreensaver and /etc/pam.d/lightdm

To allow password-less login using just the U2F key, use lines like:

auth sufficient pam_u2f.so

To use the U2F key as a required second factor (2FA), use lines like:

auth required pam_u2f.so

Note that integration with the existing default PAM configuration files supplied by Debian is tricky, and the order of the lines in the PAM files is apparently important. When using sufficient, it seems that the line should be added before @include common-auth, to avoid being asked first for a password, whereas when using required, the line may be added afterward. See the documentation for more information, including some useful module options such as cue and debug

Additional resources:

SSH

OpenSSH supports FIDO/U2F keys from version 8.2:

ssh-keygen -t ecdsa-sk -f ~/.ssh/id_ecdsa_sk

As per the documentation:

  • This will yield a public and private key-pair. The private key file should be useless to an attacker who does not have access to the physical token. After generation, this key may be used like any other supported key in OpenSSH and may be listed in authorized_keys, added to ssh-agent(1), etc. The only additional stipulation is that the FIDO token that the key belongs to must be attached when the key is used.

See the documentation and man ssh-keygen for more details.

See Also