This article is geared towards Ubuntu Linux, but may also apply to Ubuntu derivatives (e.g. Lubuntu, Xubuntu), and potentially other Debian-based distros. If you are interested in setting this up on your non-Ubuntu system, although we do not have a how-to guide, https://developers.yubico.com/pam-u2f/ contains additional information that should help.
Note: Although this guide does not cover configuring pam-u2f to require PIN authentication, note that there is a logic issue in pam-u2f 1.1.0 that, depending on the configuration and the application used, could lead to a local PIN bypass. It is recommended that all users of pam-u2f update to version 1.1.1, which addresses this issue. Most Linux users will want to update via their distribution's package manager (APT, in the case of Ubuntu), but the source code for 1.1.1 is also available on https://developers.yubico.com/pam-u2f/Releases/. For more information on the issue, please see the Yubico security advisory here.
1 Introduction
This guide covers how to secure a local Linux login using the U2F feature on YubiKeys and Security Keys. This does not work with remote logins via SSH or other methods. The commands in the guide are for an Ubuntu (or Ubuntu based) system, but the instructions can be adapted for any distribution of Linux. See here for an article geared towards Red Hat and its derivatives.
2 Installing the Required Software
- If you haven’t already, Enable the Yubico PPA and follow the steps in Using Your U2F YubiKey with Linux.
- Open Terminal.
- Run: sudo apt-get install libpam-u2f
3 Associating the U2F Key(s) With Your Account
- Open Terminal.
- Insert your U2F Key.
- Run: mkdir -p ~/.config/Yubico
- Run: pamu2fcfg > ~/.config/Yubico/u2f_keys
- You may be prompted for a PIN when running pamu2fcfg. If you are, note that this is your YubiKey's FIDO2 PIN you need to enter. For more information, see Understanding YubiKey PINs.
- When your device begins flashing, touch the metal contact to confirm the association.
If you have backup devices, use the steps below to associate them with your account. If you do not have a backup device available at this time, you can add one later using the steps below as long as you still have access to your account. Warning: Having a backup device is strongly recommended so that if your device is lost or broken, you will not be locked out of your computer.
- Open Terminal.
- Run: pamu2fcfg -n >> ~/.config/Yubico/u2f_keys
- When your device begins flashing, touch the metal contact to confirm the association.
If you would like to add additional layer of security you can change the output of the u2f_keys file to an area of the OS where you'll need sudo permission to edit the file ( e.g. /etc ). After creating a directory named Yubico ( e.g. /etc/Yubico ). You can then move the file from ~/.config/Yubico to /etc/Yubico by running the command ( sudo mv ~/.config/Yubico/u2f_keys /etc/Yubico/u2f_keys ).
Once the u2f_keys file is moved to a safer location the PAM file will need to be modified so that u2f PAM module can find the u2f_keys file. This is done by add " authfile=/etc/Yubico/u2f_keys " to the end of the line of file for pam_u2f.so within the file needed for authentication. This is normally found on the path /usr/lib/x86_64-linux-gnu/security/pam_u2f.so, but this could be different depending on setup.
Warning: Please note that once you modify the /etc/pam.d/sudo file to require the YubiKey if you were to lose or misplace the YubiKey you will not be able to modify or change the file to remove the YubiKey requirement.
Warning: By enabling using this process if the files are not readable by users it will cause you to be locked out of your system. The most common cause is encrypted /home/ folder which will not be readable by root. This will cause you to be locked out once you reset the machine
4 Configuring the System to Use the U2F Keys
4.1 Test Configuration with the Sudo Command
This section covers how to require the YubiKey when using the sudo command, which should be used as a test so that you do not lock yourself out of your computer.
- Open Terminal.
- Run: sudo nano /etc/pam.d/sudo
- Add the line below after the “@include common-auth” line.
auth required pam_u2f.so
Note: If you have moved the u2f_keys file to /etc/Yubico/u2f_keys as mentioned in section 3, you will need to append authfile and a path to the PAM configuration, as shown below:
auth required pam_u2f.so authfile=/etc/Yubico/u2f_keys
- Press Ctrl+O and then Enter to save the file. Be sure you do not close the Terminal window, otherwise you will not be able to revert the changes.
- Remove your device from the computer.
- Open a new Terminal.
- In the new Terminal, run: sudo echo test. When prompted, enter your password and press Enter.
- Even with the correct password, the authentication should fail as the U2F Key is not plugged in. If the authentication succeeds without the U2F Key, that indicates the U2F PAM module was not installed or there is a typo in the changes you made to /etc/pam.d/sudo.
- Insert your device.
- Open a new Terminal and run sudo echo test again. When prompted, enter your password and press Enter. Then, touch the metal contact on your U2F Key when it begins flashing.
Congratulations! If the password was accepted this time you have configured the system correctly and can continue on to the next section for requiring the U2F Key to login. Note: if you do not want to require the U2F Key to run the sudo command, remove the line you added to the /etc/pam.d/sudo file.
4.1.1 Adding other commands like su for requiring YubiKey login
The PAM module differentiates between various states of the command sudo as they have different authentication pathways. This means that depending on your version you might have to edit another file with the PAM information to make it valid. In Ubuntu 22.04 the following commands have the following files you can edit to add authentication:
Command File Location
runuser | /etc/pam.d/runuser |
runuser -l | /etc/pam.d/runuser-l |
su | /etc/pam.d/su |
sudo -i | /etc/pam.d/sudo-i |
su -l | /etc/pam.d/su-l |
Add the line below after the “@include common-auth” line in the file of the command you want
auth required pam_u2f.so
Note: If you have moved the u2f_keys file to /etc/Yubico/u2f_keys as mentioned in section 3, you will need to append authfile and a path to the PAM configuration, as shown below:
auth required pam_u2f.so authfile=/etc/Yubico/u2f_keys
After you save the changes, you should now require the YubiKey to authenticate when using the command selected.
4.2 Configuring the System to Require the YubiKey for Login
- Open Terminal.
- If your system is Ubuntu 17.10 or newer, run: sudo nano /etc/pam.d/gdm-password. If your system is Ubuntu 17.04 or older, run: sudo nano /etc/pam.d/lightdm
- Add the line below after the “@include common-auth” line.
auth required pam_u2f.so
Note: If you have moved the u2f_keys file to /etc/Yubico/u2f_keys as mentioned in section 3, you will need to append authfile and a path to the PAM configuration, as shown below:
auth required pam_u2f.so authfile=/etc/Yubico/u2f_keys
- Press Ctrl+X and then Enter to save and close the file.
4.3 Configuring the System to require the YubiKey for TTY terminal
- Open Terminal.
- run: sudo nano /etc/pam.d/login
- Add the line below after the “@include common-auth” line.
auth required pam_u2f.so
Note: If you have moved the u2f_keys file to /etc/Yubico/u2f_keys as mentioned in section 3, you will need to append authfile and a path to the PAM configuration, as shown below:
auth required pam_u2f.so authfile=/etc/Yubico/u2f_keys
- Press Ctrl+X and then Enter to save and close the file.
Success! You will no longer be able to log in to the computer without the U2F device.
5 Troubleshooting
5.1 Enabling Debug Mode
If you are unable to login and are unsure why, you can enable debugging on the Yubico PAM module using the steps below. This provides insight into why the module is not allowing the login.
- Open Terminal.
- Run: sudo touch /var/log/pam_u2f.log
- If your system is Ubuntu 17.10 or newer, run: sudo nano /etc/pam.d/gdm-password. If your system is Ubuntu 17.04 or older, run: sudo nano /etc/pam.d/lightdm
- Add “ debug debug_file=/var/log/pam_u2f.log” to the end of the line that contains pam_u2f.so
Each subsequent login event will have the debug log saved in the /var/log/pam_u2f.log file.