Skip to content
This repository has been archived by the owner on Nov 16, 2023. It is now read-only.

Latest commit

 

History

History
87 lines (58 loc) · 2.58 KB

README.md

File metadata and controls

87 lines (58 loc) · 2.58 KB

Yubikey on Ubuntu (KDE Neon) 18.04

BEFORE YOU START: IT IS HIGHLY RECOMMENDED TO HAVE A BACK-UP YUBIKEY

My setup is specific to my desires/needs/wants. Feel free to copy.

Basic idea of my setup:

  • Require password + Yubikey for all login sessions (TTY, sddm, gdm, lock screen)
  • Require only yubikey for sudo

All files mentioned below are included in full in the files directory within this repository

Installation

Following the regular installation

Add the ppa:

sudo add-apt-repository ppa:yubico/stable && sudo apt update

Add the package:

apt install libpam-u2f

Configure yubikey for your account according to the installation manual

For more packages (such as OTP), see here

pam.d configuration

My setup is specific to my desires/needs/wants. Feel free to copy

All logins

In order to require password + yubikey for all my logins, I've modified /etc/pam.d/common-auth. At the bottom of the file, add:

# u2f
auth required pam_u2f.so cue

Sudo specific

In order to only require yubikey for sudo, I've modified /etc/pam.d/sudo. Insert the u2f line above the inclusion of @common-auth so touching the yubikey will suffice. Add cue to receive visual feedback.

auth   sufficient pam_u2f.so cue
@include common-auth

Obviously, leave the rest of the file untouched.

udev.d configuration

Sources:

I also wanted to lock my screen the moment my yubikey is removed from the USB port. To do this, I've created udev rules.

The udev rule in /etc/udev/rules.d/20-yubico-u2f.rules:

ACTION=="remove", ENV{ID_BUS}=="usb", ENV{ID_MODEL_ID}=="0407", ENV{ID_VENDOR_ID}=="1050", RUN+="/usr/local/sbin/lockscreen.sh"

Check your MODEL_ID and VENDOR_ID by running udevadm monitor --environment --udev and unplugging your yubikey.

Then, create /usr/local/sbin/lockscreen.sh with the following content:

#!/bin/bash

export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin

loginctl lock-sessions

Mark the script as executable:

chmod 755 /usr/local/sbin/lockscreen.sh

Check that the script works by running it (either as root as your own user. udev RUN commands are executed by root, so it should work as root).

If everything works as desired, let's reload udev:

sudo udevadm control --reload-rules