I'm a Python, Linux, Nix/NixOS, JavaScript... basically everything open-source enthusiast.
Login to computer with YubiKey

Yubikey personal login to your computer with use of PAM and U2F.

Intro

PAM

  • Pluggable authentication modules
  • It is an authentication system for Linux
  • It is used for password, u2f, otp, … based authentications

YubiKey - U2F

  • Universal 2nd Factor
  • Used like specialized device - not as keyboard like YubiKey slots
  • You can use it when ex. Yubikey is flashing

PAM-U2F

  • PAM module/library separately provided by Yubico

Login with Yubikey

NixOS - setup

Example for NixOS

NixOS relevant options (/etc/nixos/configuration.nix):

  • Enable hardware support, basically just add udev rules: hardware.u2f.enable = true;
  • Enable pam-u2f module: security.pam.u2f.enable = true;
  • Set authentication to required (you will always needed to use Yubikey with password): security.pam.u2f.control = “required”;, default is sufficient
  • Enable for programs: security.pam.services.<program>.u2fAuth = true;, examples:
{
    security.pam.services.login.u2fAuth = true;
    security.pam.services.lightdm.u2fAuth = true;
    security.pam.services.slock.u2fAuth = true;
}
  • Run as user (do this before rebuilding if control was set to required):
mkdir ~/.config/Yubico
pamu2fcfg > ~/.config/Yubico/u2f_keys

Rebuild.

Ubuntu - setup

Example for Ubuntu

  • install pam_u2f.so lib, ex: apt-get install libpam-u2f
  • install pamu2fcfg cli tool, ex: apt-get install pamu2fcfg
  • Run as user:
mkdir ~/.config/Yubico
pamu2fcfg > ~/.config/Yubico/u2f_keys
  • add auth required pam_u2f.so to **/etc/pam.d/** (somewhere at the top, first line preferably)

Logout

First, create a command, then add a udev rule to execute it on Yubikey removal.

1. Create command for lock screen of all sessions

Create new file /usr/bin/lockscreen-all with content:

#!/usr/bin/env bash
if [ -z "$(lsusb | grep Yubico)" ]; then
  loginctl list-sessions | grep '^\ ' | awk '{print $1}' | xargs -i loginctl lock-session '{}'
fi

Make it executable:

chmod +x /usr/bin/lockscreen-all

2. NixOS - udev rule

This is for Yubikey 4.

{
    services.udev.extraRules = ''
        ACTION=="remove", ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}=="0407", RUN+="/usr/bin/lockscreen-all"
    '';
}

2. Ubuntu - udev rule

This is for Yubikey 4.

Create new file /etc/udev/rules.d/99-remove-yubikey.rules with content:

ACTION=="remove", ENV{ID_VENDOR_ID}=="1050", ENV{ID_MODEL_ID}=="0407", RUN+="/usr/bin/lockscreen-all"

pam-u2f