Yubikey Linux 2 Factor login and Sudo

Using the Yubikey for securing your login to Linux is a great step. Here is how I setup 2FA login with Yubikey on Kubuntu. Yubico actually has a pretty good guide for this here but it doesn’t show you how to make it with with KDE’ login screen (SDDM), and I use that so here is what I did to make it work. With this config my PC is setup to require a password and the Yubikey at login/lock screen and then for sudo I require ONLY the Yubikey.

Step 1: Get the Software

Download the tool:

sudo apt install libpam-u2f
Step 2: Enroll Primary and Backup keys

Create the directory:

mkdir ~/.config/Yubico

To enroll primary key. Plug the primary key and run:

pamu2fcfg > ~/.config/Yubico/u2f_keys

Tap they Yubikey when it lights up.


Now to enroll the secondary key. Plug the backup key in and run:

pamu2fcfg -n >> ~/.config/Yubico/u2f_keys

Step 3: Add to common-auth

To set the Yubikey to be required for login and well anything that uses common-auth you can add this line to /etc/pam.d/common-auth

auth       required   pam_u2f.so

I added it to the end of the file and now my common-auth file looks like this:

For me this made the login, lock and sudo all require both my password and my Yubikey. I didn’t want this for sudo so I did the next step.

Step 4: Set sudo to require Yubikey only

I wanted to be asked for JUST the Yubikey when I sudo so I changed the /etc/pam.d/sudo file by commenting out @include common-auth and added this line auth       required   pam_u2f.so Now the file looks like this:

Now when I run sudo I simply have to tap my Yubikey to authenticate

Tagged : / / /

Yubikey Lock PC and Close terminal sessions when removed

Locking your PC when you walk away is super important so someone cant mess with your PC while you are away. It’s usually just a co worker messing with your background or icons BUT it could have some serious consequences is a bad actor was to get on your PC unattended. Since I use my Yubikey for 2FA I wanted to take an extra step and have my PC lock and close all my terminal sessions when I remove the Yubikey. I found a post here that I followed for getting the screen to lock but I added the extra step of closing my terminal windows. Here are the steps I followed:

First I needed to get the vendor-ID and model-ID of my Yubikey 5NFC (if you have the same model you can PROBABLY use the same info as me, but if its a different model this is how you find it). First plug in your Yubikey and then from terminal type in:

sudo udevadm monitor --environment --udev

Now remove the Yubikey and look at the output (you can kill the command at this point too with ctrl+c). The output is crazy long but towards the “semi-topish” you should see something similar to this:

We are looking for the ID_VENDOR_ID (1050) and ID_MODEL_ID (0407 or 407 if you drop the leading 0). Now lets take this info and put it into a file called 20-yubikey.rules located at: /etc/udev/rules.d/ the file should look like this:

ACTION=="remove", ENV{DEVTYPE}=="usb_device", ENV{SUBSYSTEM}=="usb", ENV{PRODUCT}=="1050/407/*", RUN+="/home/user/lockscreen.sh"

The important part to change is you have a different model is the “ENV{PRODUCT}==”1050/407/*” the 1050 the vendorID and the 407 is the model. Also the RUN+=”/home/user/lockscreen.sh” this should point to wherever you put the lockscreen script. I put it in my user dir but it can go anywhere you feel is secure.

Now that we have that file we need to reload the udev rules (or reboot)

sudo udevadm control --reload-rules

Now for the script that actually does the stuff! I thought I got this from this guy here because I remember following that post… but his script is different than mine…so if I find who I got this from again I’ll re tag it for credit but I modified it to also kill all of my konsole sessions as well. Here is the script:

#!/usr/bin/sh
# this script is only suitable for a single use machine as the following will lock and kill all non root sessions
# if unable to unlock your screensaver screen lock, check the permissions of your U2F key mappings. Your screen lock 
# will run under your current user permission 

user=`ps aux | grep -v root | grep session | head -n 1 | awk '{print $1}'`
sessionids=`loginctl list-sessions | grep ${user} | awk '{print $1}'`
for sessionid in $sessionids
do
        loginctl lock-session $sessionid
        echo "U2F locked sessionid $sessionid  ($user)" | systemd-cat -p info -t udev
done

# close any other tty sessions
ttys=`who | grep tty | grep -v \(:0\) | awk '{print $2}'`
for tty in $ttys
do
        pkill --signal HUP -t $tty
        echo "U2F killed $tty ($user)" | systemd-cat -p info -t udev
done
kill $(ps aux | grep 'konsole' | awk '{print $2}')

Put this in a file called lockscreen.sh and place it where you specified in the 20-yubikey.rules file. For example mine went here: /home/user/lockscreen.sh
Next we need to make the script executable as well as make it accessible only by our user:

sudo chmod 700 lockscreen.sh

Now if everything went right when you remove your Yubikey your PC will lock and close all tty and konsole windows.

This is all good an fine but we have an issue if we want to remove the Yubikey WITHOUT the PC locking. For this is wrote a tine script to simply remove the lockscreen file and after you press a key it replaces the file. To get this working we first copy our current lockscreen file:

cp lockscreen.sh lockscreen.sh.bak

Now create another file called removeYubilock.sh with this:

#!/bin/bash
rm /home/user/lockscreen.sh
echo "Remove the YubiKey and press any key to continue"
while [ true ] ; do
read -t 3 -n 1
if [ $? = 0 ] ; then
cp /home/user/lockscreen.sh.bak /home/user/lockscreen.sh
echo "Lockscreen file replaced"
exit ;
else
echo "waiting for the keypress"
fi
done

Now make it executable:

sudo chmod 700 removeYubiLock.sh

Now to test:

Now we have a working autoscreen locking using our Yubikey!

Tagged : / /