If you have a Yubikey with U2F support for Linux, you can use its U2F functionality for a 2nd factor or single factor for logins, sudo passwords, and more. This is accomplished by the pam-u2f module, and the instructions commonly returned in searches aren’t for the faint of heart, especially when editing the files in /etc/pam.d/. Recent versions of Fedora ship with authselect which can make this process a lot easier. U2F support isn’t baked in, but it was easy enough to find on GitHub. Grab your Yubikeys (you do have a primary and a backup, right?) and follow along.
The main packages required are authselect, pam-u2f, and pamu2fcfg. The following will cover the basics in case you have a minimal install:
dnf install authselect bash gawk pam pam-u2f pamu2fcfg sssd systemd-udev
Create the u2f_keys file and include values from as many U2F devices as applicable (additional background here):
# pam-u2f looks in this directory
mkdir -pv ~/.config/Yubico/
pamu2fcfg --username="$USER" | tee ~/.config/Yubico/u2f_keys ; echo
# touch device
pamu2fcfg --nouser | tee -a ~/.config/Yubico/u2f_keys ; echo
# touch 2nd device
# Repeat the previous command as necessary
Grab a udev rules file to allow access for non-root users (additional background here):
curl \
--output '/etc/udev/rules.d/70-u2f.rules' \
'https://raw.githubusercontent.com/Yubico/libu2f-host/ef2ac57/70-u2f.rules'
# Take effect without reboot:
udevadm trigger
With pam-u2f installed and the keys added in u2f_keys, the final step is adding configurations to files in /etc/pam.d/; thankfully authselect makes this less intimidating. The version that ships with Fedora 29 (as of this writing) does not include the U2F option, so we’ll create a custom profile based on sssd and grab the files from GitHub. Uncomment the diff command to see how minimal the changes are that we are getting:
# Create a profile based on the built-in "sssd" and use symlinks for the files we won't
# be changing
authselect \
create-profile \
'sssd-u2f' \
--base-on=sssd \
--symlink-nsswitch \
--symlink-dconf \
--symlink=fingerprint-auth \
--symlink=postlogin \
--symlink=smartcard-auth
# Grab 4 updated files from GitHub. Uncomment `diff` to see the changes from the "sssd"
# profile
for FILE in README REQUIREMENTS password-auth system-auth; do
curl \
--silent \
--output "/etc/authselect/custom/sssd-u2f/$FILE" \
"https://raw.githubusercontent.com/pbrezina/authselect/297f48d/profiles/sssd/$FILE"
# diff \
# --ignore-all-space \
# --unified \
# "/usr/share/authselect/default/sssd/$FILE" \
# "/etc/authselect/custom/sssd-u2f/$FILE"
done
# Capture the options your current authselect profile might be using. My system had
# "with-fingerprint" and "with-silent-lastlog" after a standard Fedora 29 install
mapfile -t AUTHSELECT_CURRENT_OPTIONS < <( authselect current | awk '/^- with-/ {gsub("^- ", ""); print $0}' )
# If you want, show the captured options, which might be blank
#printf '%s\n' "${AUTHSELECT_CURRENT_OPTIONS[@]}"
# Select the custom "sssd-u2f" profile and add the "with-pam-u2f" option
authselect \
select \
'custom/sssd-u2f' \
$( printf '%s ' "${AUTHSELECT_CURRENT_OPTIONS[@]}" ) \
'with-pam-u2f'
On my system, I was able to use my Yubikey’s U2F mode to login after a reboot with Gnome, and for issuing sudo. To make the U2F required as part of a two-factor login or similar, you’ll need to dig into the /etc/pam.d/ files. Rather than edit directly, edit the files in /etc/authselect/custom/sssd-u2f/ and apply with authselect.
For some further reading, the RHEL 8 Beta page on authselect has a ton of great information. I’m glad to see authselect will make it from Fedora to RHEL!
(I haven’t used Fedora 29 as a desktop for long, so please let me know @alanivey if you have any feedback!)