So now you have used your solokeys to do some logging into your linux machine, but by now you have maybe gotten a bit annoyed about having to both input a password AND have the key inserted and pressed.
Don’t worry! you can also use your SoloKey as primary source of authentication and only require password if your key is not available.
The way for doing this is almost identical as for when you used it together with a password. When you however add the change to the files in /etc/pam.d/
then you instead add the following line BEFORE the line with @include common-auth
instead of after.
auth sufficient pam_u2f.so
You have to remove the previous line you inserted after the common-auth line if you have previously followed my other guide.
Notice the difference between the new line you inserted and the one you previously inserted? The big difference is the word “sufficient”, which tells PAM that if you do have your SoloKey available, then it will be sufficient authentication for the login. If the SoloKey is not available, then it will fall through to the next line where common-auth (aka password login) takes over.
Can’t get much more easy than that and it even works when you forget your SoloKey. This is however also the downside of this as it will actually not strengthen your Linux security but more likely weaken it (as now a bad guy can either steal your SoloKey or your password to login – both with get him access!!).
The setup with having only the soloKey for login is very convenient for especially sudo, but I would not recommend it if you are very security conscious.
PS: Do remember to support the new super-cool SoloKey Project called Somu. It is a tiny usb hardware key that almost fits completely into the usb socket of your computer. Pretty brilliant if you as me. Sign up to support her it at crowdsupply
My1
September 19, 2019 @ 14:57
One thing I would love would be either Fido2 login with pin or instead be able to use a secondary, weaker password in conjunction with U2F so I would have a big password if I dont want to or can’t use U2F, but a smaller one in case I do.
Kim Schulz
October 18, 2019 @ 08:43
Thats a neat idea. I am not sure it is possible with todays PAM systems but I guess it could be added as a specific extension with all of the mentioned in the same one extension.
joe
November 22, 2019 @ 11:10
Now all that is missing is to be able to secure your HD with full disk encryption in conjunction with a solo key as U2F. Is that possible?
Kim Schulz
December 6, 2019 @ 14:27
I havent tested but it should be possible using the yubico Luks implementation:
https://www.howtoforge.com/ubuntu-two-factor-authentication-with-yubikey-for-harddisk-encryption-with-luks