Passwordless login with Yubikey 5 NFC

Question

I just bought a Yubikey 5 NFC and have set it up per their instructions on Ubuntu 19.04. But my preferred use case is to use the key as passwordless option (if it's plugged in; allow access - if it's not; enter password).

I've found some topics on this here and here but both are either not for a Yubikey or not for Ubuntu. And I'm too inexperienced with these things to blindly fiddle with settings as there is a good chance I'd get locked out forever if I do something wrong.

So I know the Yubikey 5 supports passwordless login for Windows, I figure it must be available on Ubuntu somehow, right? Does anyone have a tip for me?

Edit: To give some context to the valid point made below that this setup wouldn't increase security, matter of fact, would lower it: Yes, I know, very true indeed. However in my case I work mostly from my own (secured) home, but am a stickler for very complicated passwords. However it is slowing me down I have to enter a very long password each time my laptop idles too long, so for when I'm at home, I'd like to be able to use just the key, and if I'm away, leave the key at home and just use a password.

Edit2: Thanks to hackerb9's answer and running through the Yubico install steps again I got it to work. Essentially all I did different was to add auth sufficient pam_u2f.so to both /etc/pam.d/gdm-password and /etc/pam.d/sudo instead of @include common-u2f (which would result in auth sufficient pam_u2f.so authfile=/etc/u2f_mappings cue). So essentially just removed authfile=/etc/u2f_mappings cue did the trick. I'm not 100% sure but I think this is due a 'setup conflict' as I set up the key before attempting this.

Answer 1

You're right to be worried about locking yourself out. If your home directory is encrypted, and you keep a Two-Factor Authentication authorization mapping file there, you will not be able to log in! That's why I always use a central authfile (/etc/u2f_mappings).

I suggest creating a second account while testing, so you don't lock yourself out of your main account. Also, be sure to get a second 2FA key and register it as a backup in case you lose the first one.

How to enable passwordless login

Although you should be careful, the process is easy and straightforward. To make it even easier, I've written this, so you can simply cut and paste the following commands into a terminal:

sudo apt install libpam-u2f
pamu2fcfg | sudo tee -a /etc/u2f_mappings
(At this point, press the button. You should see a long string of numbers.
If you don't, make sure you have udev setup correctly.)
sudo -i
echo >> /etc/u2f_mappings
cd /etc/pam.d
echo 'auth sufficient pam_u2f.so authfile=/etc/u2f_mappings cue' > common-u2f
for f in $(grep -l "@include common-auth" ); do
  if [[ $f == ~ ]]; then continue; fi
  if grep -q "@include common-u2f" $f; then continue; fi
  mv $f $f~
  awk '/@include common-auth/ {print "@include common-u2f"}; {print}' $f~ > $f
done
exit

Notes

• When logging in, you'll be prompted to touch your device if it is detected. Otherwise, you'll be asked to type in a password.
• We use the term "sufficient" above so that either the password or the U2F key are sufficient to login (as requested in the question). For a more typical Two-factor Authentication login, "sufficient" would be replaced by the word "required" so that both would always be needed.
• The u2f line in the pam.d files must come before @include common-auth, otherwise you'll be required to type in a password before the U2F key is checked.
• I would be remiss if I didn't point out that using a "2FA" key in this way, while convenient, does not increase your security. In fact, you've only opened a second way to get into your account. But, that's not necessarily bad; not everybody needs high-security and a dongle like this can save you from having an easy to type, short, and vulnerable password.

And so much more!

By the way, these instructions aren't just for devices from Yubico. I'm using a key from Solokeys and it works great. Additionally, the setup works for both USB and NFC keys.

If you need more information, Yubico's instructions and the Linux 20+ Guide — as mentioned in the original question — are fairly informative. Also, see the man pages for pam_u2f and pamu2fcfg.

Update 2022

Newer versions of Ubuntu and Debian GNU/Linux have proliferated the number of files in /etc/pam.d/ which need to be edited. Ideally, we would just edit a single file: common-auth, but that file is managed by pam-auth-update(8) which is limited to the profiles in /usr/share/pam-configs/. Since editing files under /usr/share is usually a bad idea, we are stuck with editing multiple files. To make this easier, I have tweaked the instructions to grep for all possible relevant config files.

Answer 2

Here is my approach:

To enable a passwordless sudo with the YubiKey do the following

1. Open Terminal.

2. Insert your U2F Key.

3. Run: mkdir -p ~/.config/Yubico

4. Run: pamu2fcfg > ~/.config/Yubico/u2f_keys

5. When your device begins flashing, touch the metal contact to confirm the association.

6. Now configure sudo to use the key when available (password otherwise) by editing the following file

   sudo nano /etc/pam.d/sudo
   

   Add the auth line before the @include

   auth sufficient pam_u2f.so
   @include common-auth
   

7. To use the YubiKey as a second factor additionally to your password edit /etc/pam.d/sudo in the following way

   @include common-auth
   auth       required   pam_u2f.so
   

   Where the auth line is after the @include

Answer 3

I know that this has been here for a while but I wanted to chime in here to make sure that this is complete. So that if someone else comes along they know how to get it working.

I do want to say that is awesome and I've been looking for this for a while and came across this a few days ago and haven't seen a way to do this besides this one. I'm sure that it's out there.

The one thing that I believe was missed is...

pamu2fcfg outputs to the file /etc/u2f_mappings via pamu2fcfg | tee /etc/u2f_mappings under the current user, which in this case is root. If you are attempting to use it for another user besides root it won't work.

The file would need to be updated to reflect the correct username in that case.

sudo nano /etc/u2f_mappings

Change root in the line to the desired username.

So from something like root:xxxxxxx..... to USERNAMEHERE:xxxxxxxx..... or whatever the username is going to be.

OR

Another way, probably better way, to approach it is to

change pamu2fcfg | tee /etc/u2f_mappings

to

pamu2fcfg -u USERNAME | tee /etc/u2f_mappings

or change it to

pamu2fcfg -u USERNAME >> /etc/u2f_mappings

where USERNAME is the name of the user who is going to be using it. With the >> it creates or appends to the end of the file which allows for multiple users.

I'm going to pull the majority of this over and a few other items from other pages and drop it into git so that I don't loose this in the abyss that is the internet. It's not fully setup but here's the link https://github.com/vanderblugen/yubico_password_less_ubuntu. If I can tag you in there shoot me a message and I will do that.

This part took me a while. Each user in the file should be on it's own line. If multiple keys for a single user put a : between each of the keys.

Answer 4

In addition to hackerb9's answer, in order to make encrypted home passwordless login edit file common-password comment out line:

password    required            pam_permit.so

and add like just under that commented out line

auth required  pam_u2f.so authfile={your_u2f_file} cue

Warning!!! while this will allow to login just with a key without a password, you won't be able to login using password without a key.

I was trying to make pam_u2f.so optional and a few combinations, maybe someone can help. Basically the idea is that when key is present login with a key only without password but if you key not present ask for password.

Update: I think it somehow cached my first time entered pwd, and then didn't need it, but if I do it after reboot without GUI the message is

login$: myuser
Please touch the device. #touching now and the response below
Signature not found in user keyring. Perhaps try interactive 'ecryptfs-mount-private'. To run a command as administrator (user "root"), use "sudo <command>".

Any guru who would know how to make truly passwordless login when home folder is encrypted?

Sorry I'm asking a question in the answer, but want to stick to overall thread.