So yesterday I told about the security keys I use and today I thought I would tell a bit about how I use the SoloKey as an extra security precaution on my Linux computers.
So first thing first: This would not (yet) be possible with some groundwork done by the team from Yubico. They have created the PAM (Plugable Authentication Module) module needed for doing U2F authentication. This is also why we get the software from them in the first place (it is also available from github if you want to verify or modify the source code.
Installation
I primarily use Ubuntu and Arch linux on my machines but in this I will describe how to install it in these Linux distributions.
Arch Linux:
sudo pacman -S pam-u2f
Ubuntu Linux:
sudo add-apt-repository ppa:yubico/stable && sudo apt update
sudi apt install libpam-u2f
In order for your SoloKey to get recognized by the udev system in Linux, you will have to add a rule for it to udev. This is done by creating a new udev rule file:
sudo vim /etc/udev/rules.d/70-solokeys.rules
Add the following lines to the file and save it:
ACTION!="add|change", GOTO="solokeys_end"
# SoloKeys rule
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{idVendor}=="0483", ATTRS{idProduct}=="a2ca", TAG+="uaccess"
LABEL="solokeys_end"
Reload udev so the new rule will be active:
sudo udevadm control --reload-rules
Now you are ready to use your solokey in Linux and can move on to configuring pam.
Configuration
Now that we have the pam module installed, it is time to add your SoloKey to it. I have chosen to have my configuration for my user as a personal configuration in my home folder. This can also be done via /etc but I will not cover that this time.
Create the configuration folder for the keys storage:
mkdir ~/.config/Yubico
It is important that it is called Yubico exactly as here, as the pam module is hardcoded to use this location.
The pam module comes with a configration tool that can be used to create the keys-strings in the configration for your SoloKeys. Simply plugin your solokey into the USB port and then in a terminal run the following command:
pamu2fcfg > ~/.config/Yubico/u2f_keys
Again the file name is important.
Your SoloKey will start to blink and this means you need to press the key. Notice that sometimes you have to hold down the button for a second or so for it to react. When pamu2fcfg has Identified your device it will let you know in the console.
It is highly recommended to have a backup key as you will be completely locked out if your only key gets stolen, breaks or something.
If you add another key, then it is very important that you do not use the previous command for the new key but instead use the following (it adds a newline and appends to the file instead of overwriting it):
pamu2fcfg -n >> ~/.config/Yubico/u2f_keys
SoloKeys and sudo
Now your key is registered and ready for PAM to use it. The best way to test this is to change the authorization scheme for the sudo command. Before doing so, please do consider to open an extra terminal and change to become root with the “sudo su” or “sudo /bin/bash” command. This way you will have a way to get in and disable your changes if something has gone wrong.
Now you can change the pam config file for sudo:
sudo vim /etc/pam.d/sudo
Find a line near the begining of the file that looks like:
@include common-auth
and add the following line right after it:
auth required pam_u2f.so
This says that afther the common login (your normal sudo password prompt) you will be requested to use pam_u2f (your solokey).
save the file and then try something simple like:
sudo echo "SoloKeys rock"
if no SoloKey is inserted into the usb port then it will fail after the password was written. If the soloKey is inserted then it will start blink and you will then have around 10 seconds to press the button on the solokey. Again you might have to hold the button for a second or so for it to get registered.
If everything has gone as planned, then you will see it print “SoloKeys Rock” to the terminal.
SoloKeys and the desktop
Now you are ready to change your desktop login to use the key as well.
The procedure is the same, but this time look for the pam config file called :
/etc/pam.d/gdm-password # if you use gdm for login
/etc/pam.d/lightdm # if you use lightdm
Add the line to the file the same way and same location as described above for sudo. After this point you can log out of your desktop and then try to login again. You login will fail if you do not have the solokey inserted in the USB port.
The solokey will blink after you inserted your password and then you need to press the button to get fully logged into your desktop.
You can do the same change for other files in /etc/pam.d/
so if you for instance use the gnome screensaver, then you can add the line to /etc/pam.d/gnome-screensaver
and if you will require it for the common console login (if you boot up without desktop or run a server, then you can add it to /etc/pam.d/login
).
A note of warning: You can get really locked out of your system if you do not do this the right way. If that happens, then boot your system in recovery mode or (single mode) and then revert your changes.
Hope this helps getting you to love your SoloKey even more – I know I did!
PS: this will of course also work with OnlyKey U2F and yubikeys.
Michael
August 27, 2019 @ 21:58
Thank-you! This is brilliant. Worked perfectly.
Kim Schulz
August 28, 2019 @ 06:00
I am glad that it works for you.
Christopher Moreira
February 18, 2020 @ 23:27
Is there a guide for installing onto CentOS 7 and CentOS 8?
Christopher Moreira
February 27, 2020 @ 19:59
On Ubuntu 14.04 I had to install pamu2fcfg:
sudo apt-get -y install pamu2fcfg
Christopher Moreira
March 7, 2020 @ 18:27
To replace a key:
pamu2fcfg >> ~/.config/Yubico/u2f_keys
Then, remove everything before the next “ubuntu:” entry.
nano ~/.config/Yubico/u2f_keys
You’ll see something like:
ubuntu:1aoIRCptSzwm1Yz_gSmKze2901d1U1lkdhmk5KZrCI532tuiPI_rKqWJYBKwQGAt,045bec2a7c1c42590111e7f46e1fbdefed4f0c91a607b0ba96db210a9e914181417fb3c0898e70e41c566578952655d1745d21af3fc1b35f0d5db86718a27509dcubuntu:1aoIRCptSzwm1Yz_mSmKze2901d1U1lkdhmk5KZrCI532tuiPI_rKqWJYBKwQGAt,045bec2a7c1c42590111d7f46e1fbdef0d4f0c91a607b0ba96db210a9e914181417fb3c0898e70e41c566578952655d1745d21ef3fc1b35f0ds1b867d8a27509dc
So just remove everything before the second ‘ubuntu:’ entry and only the new key will be relevant when logging in.
alin
May 23, 2020 @ 14:00
cool just a comment
one can change the file location authfile option something like
auth sufficient pam_u2f.so debug authfile=/root/.config/solokeys
Kim Schulz
May 23, 2020 @ 20:21
Thanks. The thing is that the system normally uses an auth file per user so it would require that it works with dynamic path like /home/$USER/.config/solokeys/
S
April 24, 2021 @ 13:15
Great tutorial thanks a lot!
Is it possible to use this U2F in addition to the encryption passphrase for the encryption of the disc before login in?
Sadness
March 11, 2022 @ 18:23
It doesn’t work for Manjaro 21. If I type > sudo [command] it demands root pass and also to touch the key, but it don’t recognize touch.