I'm a Python, Linux, Nix/NixOS, JavaScript, Rust, ... basically everything open-source enthusiast.
  1. Matej Cotman's Blog
  2. Login to computer with YubiKey
Login to computer with YubiKey

Yubikey personal login to your computer with use of PAM and U2F.

Intro

PAM

  • Pluggable authentication modules
  • It is an authentication system for Linux
  • It is used for password, u2f, otp, … based authentications

YubiKey - U2F

  • Universal 2nd Factor
  • Used like specialized device - not as keyboard like YubiKey slots
  • You can use it when ex. Yubikey is flashing

PAM-U2F

  • PAM module/library separately provided by Yubico

Login with Yubikey

NixOS - setup

Example for NixOS

NixOS relevant options (/etc/nixos/configuration.nix):

  • Enable hardware support, basically just add udev rules: hardware.u2f.enable = true;
  • Enable pam-u2f module: security.pam.u2f.enable = true;
  • Set authentication to required (you will always needed to use Yubikey with password): security.pam.u2f.control = “required”;, default is sufficient
  • Enable for programs: security.pam.services.<program>.u2fAuth = true;, examples:
{
    security.pam.services.login.u2fAuth = true;
    security.pam.services.lightdm.u2fAuth = true;
    security.pam.services.slock.u2fAuth = true;
}
  • Run as user (do this before rebuilding if control was set to required):
mkdir ~/.config/Yubico
pamu2fcfg > ~/.config/Yubico/u2f_keys

Rebuild.

Ubuntu - setup

Example for Ubuntu

  • install pam_u2f.so lib, ex: apt-get install libpam-u2f
  • install pamu2fcfg cli tool, ex: apt-get install pamu2fcfg
  • Run as user:
mkdir ~/.config/Yubico
pamu2fcfg > ~/.config/Yubico/u2f_keys
  • add auth required pam_u2f.so to **/etc/pam.d/** (somewhere at the top, first line preferably)

Logout

First, create a command, then add a udev rule to execute it on Yubikey removal.

1. Create command for lock screen of all sessions

Create new file /usr/bin/lockscreen-all with content:

#!/usr/bin/env bash
if [ -z "$(lsusb | grep Yubico)" ]; then
  loginctl list-sessions | grep '^\ ' | awk '{print $1}' | xargs -i loginctl lock-session '{}'
fi

Make it executable:

chmod +x /usr/bin/lockscreen-all

2. NixOS - udev rule

This is for Yubikey 4.

{
    services.udev.extraRules = ''
        ACTION=="remove", ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}=="0407", RUN+="/usr/bin/lockscreen-all"
    '';
}

2. Ubuntu - udev rule

This is for Yubikey 4.

Create new file /etc/udev/rules.d/99-remove-yubikey.rules with content:

ACTION=="remove", ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}=="0407", RUN+="/usr/bin/lockscreen-all"

pam-u2f

TAGS yubikey linux
Home Tags