Yubikey Linux 2 Factor login and Sudo

Using the Yubikey for securing your login to Linux is a great step. Here is how I setup 2FA login with Yubikey on Kubuntu. Yubico actually has a pretty good guide for this here but it doesn’t show you how to make it with with KDE’ login screen (SDDM), and I use that so here is what I did to make it work. With this config my PC is setup to require a password and the Yubikey at login/lock screen and then for sudo I require ONLY the Yubikey.

Step 1: Get the Software

Download the tool:

sudo apt install libpam-u2f
Step 2: Enroll Primary and Backup keys

Create the directory:

mkdir ~/.config/Yubico

To enroll primary key. Plug the primary key and run:

pamu2fcfg > ~/.config/Yubico/u2f_keys

Tap they Yubikey when it lights up.


Now to enroll the secondary key. Plug the backup key in and run:

pamu2fcfg -n >> ~/.config/Yubico/u2f_keys

Step 3: Add to common-auth

To set the Yubikey to be required for login and well anything that uses common-auth you can add this line to /etc/pam.d/common-auth

auth       required   pam_u2f.so

I added it to the end of the file and now my common-auth file looks like this:

For me this made the login, lock and sudo all require both my password and my Yubikey. I didn’t want this for sudo so I did the next step.

Step 4: Set sudo to require Yubikey only

I wanted to be asked for JUST the Yubikey when I sudo so I changed the /etc/pam.d/sudo file by commenting out @include common-auth and added this line auth       required   pam_u2f.so Now the file looks like this:

Now when I run sudo I simply have to tap my Yubikey to authenticate

Tagged : / / /