Yubikey personal login to your computer with use of PAM and U2F.
Intro
PAM
- Pluggable authentication modules
- It is an authentication system for Linux
- It is used for password, u2f, otp, … based authentications
YubiKey - U2F
- Universal 2nd Factor
- Used like specialized device - not as keyboard like YubiKey slots
- You can use it when ex. Yubikey is flashing
PAM-U2F
- PAM module/library separately provided by Yubico
Login with Yubikey
NixOS - setup
Example for NixOS
NixOS relevant options (/etc/nixos/configuration.nix):
- Enable hardware support, basically just add udev rules: hardware.u2f.enable = true;
- Enable pam-u2f module: security.pam.u2f.enable = true;
- Set authentication to required (you will always needed to use Yubikey with password): security.pam.u2f.control = “required”;, default is sufficient
- Enable for programs: security.pam.services.<program>.u2fAuth = true;, examples:
- Run as user (do this before rebuilding if control was set to required):
Rebuild.
Ubuntu - setup
Example for Ubuntu
- install pam_u2f.so lib, ex: apt-get install libpam-u2f
- install pamu2fcfg cli tool, ex: apt-get install pamu2fcfg
- Run as user:
- add auth required pam_u2f.so to **/etc/pam.d/** (somewhere at the top, first line preferably)
Logout
First, create a command, then add a udev rule to execute it on Yubikey removal.
1. Create command for lock screen of all sessions
Create new file /usr/bin/lockscreen-all with content:
Make it executable:
2. NixOS - udev rule
This is for Yubikey 4.
2. Ubuntu - udev rule
This is for Yubikey 4.
Create new file /etc/udev/rules.d/99-remove-yubikey.rules with content:
Links
pam-u2f