U2F intro
Universal Second Factor (U2F) devices were invented as a second factor for websites using two factor authentication. The website sends a challenge, the U2F device responds to it if its button is pressed. The device only provides a small LED that starts blinking as soon as the device wants to you to touch it and thus confirm the usage.
But you cannot only use U2F devices for websites. Using PAM’s pam_u2f
module, you can plug it into any service that uses PAM.
Low hanging fruit
I used openSUSE Tumbleweed on my laptop, and successfully configured my U2F devices for the following services
- console login, using
/etc/pam.d/login
- sudo and
sudo -i
, using/etc/pam.d/sudo
and/etc/pam.d/sudo-i
respectively - graphical login using SDDM (
/etc/pam.d/sddm
) or lightdm (/etc/pam.d/lightdm
)
All of those services worked flawlessly, as soon as I
- installed the
pam_u2f
package - added a line to their respective pam configuration and
- configured the device using
pamu2fcfg
sudo zypper in pam_u2f
cat /etc/pam.d/login
auth requisite pam_nologin.so
auth sufficient pam_u2f.so authfile=/etc/Yubico/u2f_keys cue
auth include common-auth
Make sure to add the line containing pam_u2f.so
before the include for common-auth
.
pamu2fcfg > /etc/Yubico/u2f_keys
After the configuration, you only need to trigger a PAM activity (login attempt, sudo call, …) and your device will start to flash its LED. Touch the button, done.
Conquering the KDE lock screen
Wow, that was easy. Getting KDE’s lock screen to work turned out to be a little trickier. While the other services were using root privileges and it was fine to have the root user in the configuration file, kscreenlocker runs as your user. Therefore it needs to have access to your U2F device.
Use the udev rule from the official documentation and put it into /etc/udev/rules.d/
. Then restart udevd via systemctl restart systemd-udevd
and remove your device. After re-attaching the device, check if you get any output when issuing pamu2fcfg
as your user. If not, go debugging…
If you do get output, configure the device and put the resulting file into your home directory, which is the default location pam_u2f
looks for ‘Authorization Mapper Files’, as they are called officially:
mkdir -p $HOME/.config/Yubico/
pamu2fcfg > $HOME/.config/Yubico/u2f_keys
Configure it using /etc/pam.d/kscreenlocker
, but add the following line:
auth sufficient pam_u2f.so openasuser
Then keep your fingers crossed and try if it works. Lock your screen and type a key or move your mouse to show the password prompt. Then you need to hit RETURN (yes, you did not specify a password), which will restart the pam authentication. Your device’s LED should blink, you touch the button and your screen is unlocked. Magic…
Bonus points: Lock your screen if you remove your device
Unlocking your lock screen with your U2F device is pretty nice, but you should remember to lock your screen. And remove the device. Wouldn’t it be awesome if you had to think of only one thing? The next part will cover how to do that with a simple udev rule.